A patch is already available for the Pixel 7, thankfully.
Devices that utilize Samsung Exynos modems may be an easy target for hackers. In a new report, Google’s Project Zero team identified 18 zero-day vulnerabilities in recent Exynos modems. Google suggests disabling Wi-Fi calling and VoLTE on affected devices, though most users cannot disable these settings.
Only four of the vulnerabilities identified by Project Zero are of immediate concern. According to Project Zero, these vulnerabilities may enable internet-to-baseband remote code execution. While the details are a bit unclear, Project Zero claims that hackers can exploit these vulnerabilities using only a victim’s phone number. (The other 14 vulnerabilities require a “malicious mobile network operator or an attacker with local access to the device.”)
Project Zero first reported these vulnerabilities in late 2022. Google included a patch in the Pixel 7’s March update (which you should install if you haven’t already), but as Project Zero’s Maddie Stone notes, most devices are still unpatched.
End-users still don’t have patches 90 days after report…. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
Unfortunately, it’s hard to figure out all the devices that may be affected by this exploit. Project Zero put together a rudimentary list using public information, though I’m not sure that this is a complete list (I suspect that smartwatches with new Exynos cellular modems may be affected as well):
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series.
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series.
- The Pixel 6 and Pixel 7 series of devices from Google.
- Any vehicles that use the Exynos Auto T5123 chipset.
According to Samsung, the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 are affected by these vulnerabilities.
Project Zero usually publishes detailed information on zero-day exploits. But due to the severity of these vulnerabilities, it’s holding back some information. For what it’s worth, only one of the four major vulnerabilities (CVE-2023-24033) has been assigned a CVE.
In its blog post, Project Zero suggests that users disable Wi-Fi calling and VoLTE on affected devices (open Settings, go to “Network and Internet,” and select “SIM”). Disabling these settings will prevent phone calls from being made or received on most carrier networks. And, unfortunately, some carriers don’t let you alter these settings.
My advice is to install the latest update available to your phone. Depending on when you read this article, the March Android patch may be available to you (thereby resolving this issue). If you’re a high-risk target, you may want to disable Wi-Fi calling and VoLTE, though this isn’t a realistic option for most users.
Source: Project Zero