Google’s Project Zero team recently revealed that multiple security flaws were found in Samsung’s Exynos chipsets. Project lead Tim Willis reported at least 18 zero-day vulnerabilities in the Exynos modems used in Samsung’s flagship Galaxy devices, some of which allow for ‘Internet-to-baseband remote code execution’ without any user interaction. Willis said that attackers with even limited technical knowledge could quickly craft reliable exploits to compromise affected devices.
To protect against this attack, users can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Google withheld details on four of the 18 vulnerabilities due to their severity and the risk of malicious actors creating in-the-wild exploits. Five of the remaining vulnerabilities have been publicly disclosed, while the other nine will be released if patches remain unavailable after their 90-day embargo.
Samsung has released multiple advisories detailing the affected Exynos chipsets, including handsets from Samsung, Vivo and Google’s Pixel 6/7. The company described the issues as heap buffer overflows in the 5G MM message codec when decoding extended emergency lists, service area lists and reserved options.
Overall, these security flaws are a serious issue, as attackers can remotely compromise a phone at the baseband level with no user interaction whatsoever. To protect against this attack, users can turn off Wi-Fi calling and Voice-over-LTE, and await security updates from Samsung.
Key Points:
• Google’s Project Zero team recently discovered multiple security flaws in Samsung’s Exynos chipsets
• 18 zero-day vulnerabilities have been reported in the Exynos modems used in Samsung’s Galaxy devices
• Exploits can be crafted to silently and remotely compromise affected devices
• Users can turn off Wi-Fi calling and Voice-over-LTE to protect against the attack
• Samsung has released multiple advisories detailing the affected Exynos chipsets