Google recently revealed four critical zero-day bugs affecting a wide range of Android phones, including some of its own Pixel models. These bugs are a bit different from the usual Android vulnerabilities, as they are known as baseband vulnerabilities, meaning that they exist in the special mobile phone networking firmware that runs on the phone’s baseband chip. This chip operates independently of the “non-telephone” parts of your mobile phone and essentially runs a miniature operating system of its own, on a processor of its own, and works alongside your device’s main operating system to provide mobile network connectivity.
These baseband chips handle the business of modulating and demodulating the sending and receiving of data to and from the network, so an internet-to-baseband remote code execution hole means that criminals could inject malware or spyware into the part of your phone that sends and receives network data, without getting their hands on your actual device, luring you to a rogue website, or persuading you to install a dubious app.
Google’s research focused on devices that used a Samsung Exynos-branded baseband modem component, but that doesn’t necessarily mean that the system-on-chip would identify or brand itself as an Exynos. As a result, it’s difficult to answer the questions, “Am I affected? And if so, what should I do?” Google reports that affected products likely include mobile devices from Samsung, Vivo, and Google, as well as any vehicles that use the Exynos Auto T5123 chipset. Google says that the baseband firmware in both the Pixel 6 and Pixel 7 was patched as part of the March 2023 Android security updates, so Pixel users should ensure they have the latest patches for their devices. For other devices, different vendors may take different lengths of time to ship their updates, so check with your vendor or mobile provider for details.
In the meantime, these bugs can apparently be sidestepped in your device settings by turning off Wi-Fi calling and Voice-over-LTE (VoLTE). Google states that “turning off these settings will remove the exploitation risk of these vulnerabilities”. If you don’t need or use these features, you may as well turn them off anyway until you know for sure what modem chip is in your phone and if it needs an update.
Overall, Google’s recent discovery of these baseband vulnerabilities is a critical reminder that not only is your Android device at risk from cybercriminals via bugs in the main operating system or one of the apps you use, but also from security vulnerabilities in the baseband subsystem. It is important to stay up to date on the latest security patches and to know how to safely navigate the vulnerabilities of your device.