Security researchers at Google‘s Project Zero team have discovered multiple serious zero-day vulnerabilities on Samsung’s Exynos modems. The vulnerabilities affect dozens of smartphones and wearables from Samsung, Google, and Vivo. The Galaxy S22 series, Galaxy A53, Galaxy A33, Pixel 6 series, Pixel 7 series, Vivo X70 series, and the Vivo S16 series are among the affected devices.
In a recent blog post, Project Zero revealed that they have discovered 18 zero-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. Four of those are critical flaws that could lead to Internet-to-baseband remote code execution if exploited in the wild. A remote attacker would only require to know the victim’s phone number to compromise a phone at the baseband level with no user interaction. These vulnerabilities aren’t too difficult to exploit, the researchers concluded.
The remaining 14 vulnerabilities aren’t as severe, though. They require “either a malicious mobile network operator or an attacker with local access to the device”. Project Zero reported these vulnerabilities to Samsung between late 2022 and early 2023. It’s been more than 90 days since the researchers submitted some of the reports but the Korean firm has yet to patch any of the flaws.
Full list of devices affected by these Exynos vulnerabilities
These zero-day vulnerabilities affect over a dozen Samsung smartphones, including the Galaxy S22, Galaxy M33, Galaxy M13, Galaxy M12, Galaxy A71, Galaxy A53, Galaxy A33, Galaxy A21, Galaxy A13, Galaxy A12, and Galaxy A04 series.
Google, which started using Samsung-made Tensor chips in Pixel smartphones in 2021, has also found all recent Pixel models vulnerable, i.e. Pixel 6 and Pixel 7 series. Affected Vivo devices include the Vivo S16, Vivo S15, Vivo S6, Vivo X70, Vivo X60, and the Vivo X30 series.
Additionally, any wearable product featuring the Exynos W920 chipset is also vulnerable to these security flaws. Samsung’s Galaxy Watch 4 and Galaxy Watch 5 series are among them. Finally, these Exynos modem vulnerabilities also affect vehicles using the Exynos Auto T5123 chipset. According to the official release from Project Zero, Google’s March update for Pixel devices patches the issues.
The update is already available for the Pixel 7 series but the Pixel 6 series is still awaiting it. The vulnerabilities seemingly remain unpatched on other affected devices.
As a temporary protection measure, Project Zero’s head Tim Willis advises users to turn off Wi-Fi calling and Voice-over-LTE (VoLTE). This will “remove the exploitation risk of these vulnerabilities” on affected devices. Unfortunately, these features are essential for many people. We hope Samsung will patch these flaws on its Exynos modems sooner than later.