The Project Zero team at Google recently uncovered critical zero-day vulnerabilities in the Samsung Exynos modems, which are utilized in various devices including the Pixel 6 series, Pixel 7 series, Samsung smartphones and Samsung wearables, and other similar products. These vulnerabilities are so severe that Google is recommending that users disable VoLTE and Wi-Fi calling features until proper patches can be implemented.
Project Zero, a team renowned for its ability to discover zero-day vulnerabilities, recently disclosed a total of 18 vulnerabilities found in Exynos modems between late 2022 and early 2023. Among these vulnerabilities, four were particularly concerning, including CVE-2023-24033, which involves internet-to-baseband remote code execution. It is important to note the gravity of these vulnerabilities as they have the potential to cause significant harm if not addressed properly.
The remaining 14 vulnerabilities discovered by Project Zero in the Exynos modems are considered less severe than the four previously mentioned, as they typically require a malicious mobile network operator or an attacker with physical access to the device to exploit them. While these vulnerabilities are not as critical as the internet-to-baseband remote code execution issue, they still pose a potential threat to the security of affected devices and must be taken seriously.
Based on tests conducted by Project Zero, the four vulnerabilities that allow for internet-to-baseband remote code execution in the Exynos modems can be exploited by attackers to compromise a phone at the baseband level remotely, with no user interaction required. In other words, attackers could potentially gain control of the affected devices without the user’s knowledge.
According to Project Zero, exploiting these vulnerabilities only requires the attacker to know the victim’s phone number, and with limited additional research and development, skilled attackers could create an operational exploit to compromise affected devices silently and remotely. This underscores the severity of these vulnerabilities and the importance of taking measures to mitigate the risks they pose.
Project Zero has decided to make a policy exception and delay the disclosure of the four vulnerabilities that allow for internet-to-baseband remote code execution. This decision was made due to the extremely rare combination of the level of access these vulnerabilities provide and the speed with which a reliable operational exploit could potentially be developed. By delaying the disclosure, Project Zero hopes to provide additional time for device manufacturers to develop and implement effective patches to address these critical security flaws.
Samsung Semiconductor, in its statement released in January 2023, has identified the following chipsets as being affected by the Exynos modem vulnerabilities: Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123.
Google has also compiled a list of likely affected products, which includes:
- Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro smartphones
- Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series smartphones
- Samsung Galaxy Watch 4 and Watch 5
- Samsung Galaxy Buds Pro and Buds 2
- Various Samsung tablets and other mobile devices that use the affected Exynos modems.
- Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
- Any vehicles that use the Exynos Auto T5123 chipset
It is important to note that this list may not be exhaustive, and users of other devices that utilize these chipsets should exercise caution and stay informed about any potential security risks.
In addition to the Pixel 6 (Exynos 5123) and Pixel 7 (Exynos 5300), several other devices have been identified as potentially affected by the Exynos modem vulnerabilities. These include the Samsung Galaxy S22 smartphones, some of the Galaxy A series smartphones, some of the Vivo phones, as well as the Galaxy Watch 4 and 5.
Regarding the Pixel phones, Google has released a security patch in March 2023 to address the main vulnerability, CVE-2023-24033, which was discovered by Project Zero. However, it is worth noting that the patch was delayed by a week and should have been rolled out earlier. Users of these devices should ensure they have installed the latest security updates to mitigate the risks posed by these vulnerabilities.
Turn off VoLTE and Wi-Fi calling
It is worth noting that, as of now, the Pixel 6, 6 Pro, and 6a have not received the March security update and remain vulnerable to the Exynos modem vulnerabilities. Therefore, users of these devices should take immediate measures to protect themselves.
In line with Project Zero’s recommendations, users can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to mitigate the risk of exploitation of these vulnerabilities until security updates become available. By turning off these settings, the exposure to the vulnerabilities can be reduced, making it more difficult for attackers to exploit them.
To disable Wi-Fi calling on Pixel phones (and most o fthe other Android phones), users can follow these steps:
- Open the “Settings” app on your Pixel phone
- Select “Network & internet” from the list of options
- Tap on “SIMs”
- Find the option for “Wi-Fi calling” and toggle it off
Once you have completed these steps, Wi-Fi calling will be disabled on your device, which can help to mitigate the risk of exploitation of the Exynos modem vulnerabilities until security updates become available.
To disable VoLTE on Pixel phones, users can follow these steps:
- Open the “Phone” app on your Pixel phone
- Tap the three dots in the top-right corner to open the menu
- Select “Settings” from the list of options
- Scroll down to the “Calling” section and select “Voice over LTE settings”
- Toggle the switch next to “Enable VoLTE” to the off position
Once you have completed these steps, VoLTE will be disabled on your device, which can help to mitigate the risk of exploitation of the Exynos modem vulnerabilities until security updates become available.
Source: Google Project Zero