Google’s Project Zero team, a group of white hat hackers, has discovered 18 vulnerabilities in Samsung’s Exynos chipsets that can be exploited by remote attackers to compromise phones without user interaction. The most severe flaws in the chipset allowed internet-to-baseband remote code execution.
The vulnerabilities enable attackers to remotely compromise a phone at the baseband level with no user interaction and only requiring knowledge of the victim’s phone number.
Experts warn that attackers with the requisite skills can exploit these vulnerabilities silently and remotely, without the knowledge of the victim.
Until security updates are available, users are advised to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in settings of vulnerable devices to prevent baseband remote code execution attacks.
Samsung Semiconductor has released advisories providing a list of Exynos chipsets impacted by these vulnerabilities, including devices from Samsung, Vivo, and Google, along with any wearables or vehicles that use the Exynos W920 or Exynos Auto T5123 chipsets, respectively.
Google did not disclose the technical details of the vulnerabilities to avoid enabling threat actors to create their own exploits. The researchers disclosed only five of the 18 vulnerabilities that exceeded Project Zero’s standard 90-day deadline.
Project Zero team lead Tim Willis said that they made a policy exception to delay disclosure for the four vulnerabilities that allowed for internet-to-baseband remote code execution due to the rare combination of level of access and speed that could allow attackers to quickly create an operational exploit.
Users are advised to apply the security updates as soon as they are available to mitigate these vulnerabilities.
