Google is urging owners of Android phones that use certain Samsung chipsets to take immediate action to protect themselves from critical vulnerabilities. These vulnerabilities can allow skilled hackers to compromise devices by making a specially crafted call to the owner’s number. The affected chipsets are Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123. Devices that use these chipsets include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, and cars with the Exynos Auto T5123 chip. Only devices that run the Exynos chipset are vulnerable, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs a Qualcomm Snapdragon chip and is not vulnerable.
Google’s Project Zero vulnerability team reported on four bugs, one of which is tracked as CVE-2023-24033, that make it possible for hackers to execute malicious code. Baseband code-execution bugs are particularly critical because the chips have root-level system privileges to ensure voice calls work reliably. The vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction and only require the attacker to know the victim’s phone number. Skilled attackers could create an operational exploit to compromise affected devices silently and remotely with limited additional research and development.
Google has released a patch for the Pixel 7 models, but Pixel 6 users are still waiting for their update. Samsung has released a patch for CVE-2023-24033, but it has not yet been delivered to end-users, and there’s no indication that they’ve patched the other three critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that give access at the deepest level possible.
To mitigate the impact of these vulnerabilities, Google advises users to install all available security updates and turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. However, turning off these settings will remove most voice-calling capabilities from the device. Samsung advises users to install all available security updates, keep an eye out for the patching of CVE-2023-24033, and turn off Wi-Fi calling and VoLTE. Unfortunately, it’s not clear if it’s possible to turn off VoLTE on many models.
