Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips

Mar 17, 2023Ravie LakshmananMobile Security / Firmware

Google is calling attention to a set of severe security flaws in
Samsung’s Exynos chips, some of which could be exploited remotely
to completely compromise a phone without requiring any user
interaction.

The 18 zero-day vulnerabilities affect a wide range of Android
smartphones from Samsung, Vivo, Google, wearables using the Exynos
W920 chipset, and vehicles equipped with the Exynos Auto T5123
chipset.

Four of the 18 flaws make it possible for a threat actor to
achieve internet-to-baseband remote code execution, Google Project
Zero, which reported the issues in late 2022 and early 2023,
said.

“[The] four vulnerabilities allow an attacker to remotely
compromise a phone at the baseband level with no user interaction,
and require only that the attacker know the victim’s phone number,”
Tim Willis, head of Google Project Zero, said^[1].

In doing so, a threat actor could gain entrenched access to
cellular information passing in and out of the targeted device.
Additional details about the bugs have been withheld.

The attacks might sound prohibitive to execute, but, to the
contrary, they are well within reach of skilled attackers, who can
quickly devise an operational exploit to breach affected devices
“silently and remotely.”

The remaining 14 flaws are said to be not as severe, as it
necessitates a rogue mobile network insider or an attacker with
local access to the device.

While Pixel 6 and 7 handsets have already received a fix^[3]
as part of March 2023 security updates, patches for other devices
are expected to vary^[4]
depending on the manufacturer’s timeline.

Until then, users are recommended to switch off Wi-Fi calling
and Voice over LTE (VoLTE) in their device settings to “remove the
exploitation risk of these vulnerabilities.”