According to a recent report, Google has discovered 18 severe security vulnerabilities in Samsung’s Exynos chips, some of which can be remotely exploited without user interaction to completely compromise a phone. These zero-day vulnerabilities affect a broad range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.
Of the 18 vulnerabilities, four can allow an attacker to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicleses in late 2022 and early 2023. This means that a hacker can remotely compromise a phone at the baseband level without user interaction, requiring only knowledge of the victim’s phone number. If exploited, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Google Project Zero’s head, Tim Willis, disclosed the four flaws but withheld additional details.
The remaining 14 vulnerabilities are considered less severe as they require a rogue mobile network insider or an attacker with local access to the device. Pixel 6 and 7 handsets have already received a patch as part of March 2023 security updates, but patches for other devices are expected to vary depending on the manufacturer’s timeline.
While waiting for the patches, users are recommended to turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to “remove the exploitation risk of these vulnerabilities.” Even though the attacks may appear difficult to execute, skilled attackers can devise an operational exploit to breach affected devices remotely and silently.