Google security analysts have warned Android device users that a zero-day vulnerability in some Samsung chipsets could allow attackers to take complete control of their phones and remotely control them with just a phone number. I’m here.
In late 2022 and early this year, Google’s Project Zero found and reported 18 of these bugs in Samsung’s Exynos cellular modem firmware, according to Tim Willis, who heads the bug hunting team. Four of the vulnerabilities allow remote code execution from the Internet into the baseband. Since the baseband (or modem) portion of the device typically has low-level access privileges to all hardware, exploiting bugs in that code could allow an intruder to gain complete control of the phone or device. will be Technical details of these holes have been withheld to protect vulnerable gear users.
“Tests conducted by Project Zero confirm that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, allowing the attacker to know the victim’s phone number. You just need to have the break down of security flaws.
A skilled attacker can quickly create operational exploits to silently and remotely compromise affected devices.
“With limited additional research and development, we believe skilled attackers can rapidly create operational exploits to compromise affected devices silently and remotely,” he added. .
One of these four serious bugs has been assigned a CVE number and is tracked as follows: CVE-2023-24033The other three are waiting for bug IDs.
According to Willis, the other 14 problems are less severe and require “a malicious mobile network operator or an attacker with local access to the device.”These include CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that have not yet been assigned identifiers.
Affected devices include samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series chips. Vivo mobile devices including S16, S15, S6, X70, X60, X30 series. Google’s Pixel 6 and Pixel 7 series devices. Vehicles using the Exynos Auto T5123 chipset.
Google has published a fix for CVE-2023-24033 affecting Pixel devices. March security updateUntil other manufacturers plug the holes, if you’re using a vulnerable device with Samsung’s silicon, turn off Wi-Fi calling and Voice-over-LTE (VoLTE) and use baseband remotes. Willis suggests protecting against code execution.
And as always, patch your gadget as soon as software updates are available.
The team at Google — and most security researchers – Compliance to 90 days disclosure This means that after reporting a bug to a hardware or software vendor, the vendor has 90 days to issue a fix. Researchers then expose the flaw.
However, in very rare and serious cases where “attackers benefit far more than defenders if vulnerabilities are disclosed,” bug hunters will make exceptions to delay disclosure, Willis said. As pointed out. This is a case of four zero-days enabling RCE from the Internet to baseband.
Project Zero published four of the remaining 14 low-severity defects that exceeded the 90-day deadline. The remaining 10 will be released to the public if he exceeds 90 days without amendment, Willis added. ®
