Google has a Project Zero team that analyzes software and hardware, looking for exploits allowing malicious attackers to get into various gadgets. Project Zero just found one such severe vulnerability, a 0-day issue that would allow hackers to remotely control phones like the Pixel 7 and 6 series, and Samsung Galaxy phones like the Galaxy S22.
The issue resides in the Exynos modems inside those devices. Until manufacturers, Google included, patch them, users should turn off two phone features to eliminate the risk of hacks. These are VoLTE and Wi-Fi calling and shouldn’t impact your overall phone experience.
With VoLTE turned on, you’ll be placing your calls over 4G, and the feature should improve the overall quality of phone calls. Wi-Fi calling, meanwhile, helps you make calls in areas with spotty cellular reception. They’re not must-have features that you immediately think of when buying a new phone. Rather, you take them for granted, if you’re even aware of them.
Whatever the case, you can easily turn these features off from the phone’s Settings app. Once the Exynos patches start rolling in via security updates, you can reenable them.
You might not consider yourself a target for hackers, but that doesn’t mean you’re safe.
Project Zero found 18 vulnerabilities in Exynos modems from late 2022 and early 2023. Four of them are critical, including issues that would allow an attacker to control phones remotely:
The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
These vulnerabilities are serious enough that they convinced Project Zero to delay the disclosure of the four vulnerabilities. Apparently, it’s fairly easy for attackers to take advantage of them. The following devices are affected, including Pixel and Galaxy models:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google;
- any wearables that use the Exynos W920 chipset; and
- any vehicles that use the Exynos Auto T5123 chipset.
Pixel devices already got an update this month for the CVE-2023-24033 vulnerability. But you still should disable VoLTE and Wi-Fi calling until all the issues are patched. As always with security updates, make sure you install them as they roll out.
You’ll find Google’s Project Zero report at this link. Separately, Samsung Semiconductor published a security update on the Exynos modem issues over here.