Samsung is taking forever to fix lethal Exynos bug affecting Galaxy S22 and Pixel 6

Samsung is taking forever to fix high-risk Exynos bug affecting Galaxy S22 and Pixel 6
Several popular Android phones with Samsung-made Exynos chips have a security hole that could give hackers a frightening amount of control over the devices.

Project Zero, a team of security analysts at Google that aims to protect people from targeted attacks, has found eighteen 0-day vulnerabilities in Exynos modems. A 0-day vulnerability is a flaw that was previously unknown to the product vendor.

Four vulnerabilities could give hackers easy access to affected phones

The flaws were discovered between late 2022 and early 2023 and four of them allowed for internet-to-baseband remote code execution. An attacker would only need someone's phone number to exploit this vulnerability and compromise the victim's phone silently and remotely.

The remaining related vulnerabilities are not as severe and would require a malicious mobile network operator or direct access to a device.

Affected smartphones and watches

According to Samsung's website, the vulnerabilities are in its Exynos Modem 5123 and Exynos Modem 5300, and Exynos 980 and Exynos 1080 chipsets (via 9to5Google). These chips are found in the following devices:

  • Samsung Galaxy S22 (only the Exynos-powered variants sold in the UK and Europe), A71, A53, A33, A21s, A13, A12, A04, M33, M13, and M12 series
  • Samsung Galaxy Watch 5 and Watch 4
  • Vivo S16, S15, S6, X70, X60 and X30 series
  • Google Pixel 7 duo, Pixel 6 range, and Pixel 6a

The March software update for the Pixel 7 addressed the most severe vulnerability, CVE-2023-24033. The Pixel 6 and 6a will reportedly get the update later this month. Samsung and Vivo devices remain unprotected, even though Samsung was alerted about the issue 90 days ago.

Project Zero advises that until a fix is rolled out, users who want to protect their devices from the baseband remote code execution vulnerabilities should turn off Wi-Fi calling and Voice-over-LTE (VoLTE).

Since the four critical bugs are easy to exploit, Project Zero has decided to make an exception to its disclosure policy and is not revealing additional details that may make a hacker's job easier. 

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless