Google is warning users about vulnerabilities found in some Samsung chips, which include dozens of Android devices, wearables and vehicles.
Security researchers reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung in late 2022 and early 2023, Tim Willis, head of Google’s Project Zero, wrote in a blog post on Thursday.
The four most severe vulnerabilities allow Internet-to-baseband remote code execution, allowing an attacker to “remotely compromise the phone at the baseband level, without user interaction and requiring only the attacker to know the victim’s phone number.”
“With limited additional research and development, we believe a skilled attacker will be able to quickly create an operational exploit to silently and remotely compromise affected devices,” warns Willis.
YOUTUBE resumes Trump’s channel, able to upload new content ahead of 2024 election
The Google logo is displayed on the carpet at the entrance hall of Google France in Paris, November 18, 2019. (AP Photo/Michelle Euler, File)
The other 14 vulnerabilities are less critical because they require a malicious mobile network operator or an attacker with local access to the device.
Affected products could include Samsung mobile devices from the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series, as well as the S16, S15, S6, X70, X60 and X30 series. Also included are Google’s Pixel 6 and Pixel 7 series devices and any vehicle using the Exynos Auto T5123 chipset.
Best Browser Alternatives to the Once-Popular but Now Retired Internet Explorer
Google Pixel 7 large ad network outside London Bridge Station, London, UK, November 17, 2022. ((Photo by Mike Kemp/Getty Images))
Patch schedules vary by manufacturer, Google said. Project Zero researcher Maddie Stone tweeted that Samsung has 90 days to patch the vulnerability, but has not yet done so. Pixel devices already have the March security update patch installed.
A woman walks past an advertisement for Samsung’s Galaxy S22 smartphone at the company’s building in Seocho, Seoul, July 7, 2022. ((Photo by JUNG YEON-JE/AFP via Getty Images))
In the meantime, users who wish to protect themselves from the baseband remote code execution vulnerability in the post can turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings.
“As always, we encourage end users to update their devices as soon as possible to ensure they are running the latest version that fixes both disclosed and undisclosed security vulnerabilities,” Willis added.
