Exynos Bug Affecting Galaxy S22 and Pixel 6 Still Unresolved by Samsung, Causing Concerns Over Lethal Impact

Exynos Chips in Android Phones Found to Have Security Hole

Concerns have been raised regarding the security of popular Android phones featuring Samsung-made Exynos chips. The team behind Project Zero, a security analyst group at Google that aims to protect people from targeted attacks, recently discovered a total of eighteen 0-day vulnerabilities in Exynos modems. A 0-day vulnerability refers to a flaw that the product vendor is not yet aware of.

Four Vulnerabilities Allow Remote Code Execution

The flaws were identified between late 2022 and early 2023, and four of them could enable hackers to gain access to affected phones by way of internet-to-baseband remote code execution. A hacker could take advantage of this vulnerability with only the phone number of the victim to compromise their phone remotely and silently. Tests conducted by Project Zero confirmed that the four vulnerabilities could allow an attacker to compromise a phone at a baseband level without any user interaction. With some additional research and development, skilled cyber attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

Affected Smartphones and Watches

According to Samsung’s website, the vulnerabilities exist in its Exynos Modem 5123 and Exynos Modem 5300 as well as its Exynos 980 and Exynos 1080 chipsets. These chips are found in a range of devices, including the Samsung Galaxy S22 (only the Exynos-powered variants sold in the UK and Europe), A71, A53, A33, A21s, A13, A12, A04, M33, M13, and M12 series, the Samsung Galaxy Watch 5 and Watch 4, the Vivo S16, S15, S6, X70, X60, and X30 series, and the Google Pixel 7 duo, Pixel 6 range, and Pixel 6a.

Samsung and Vivo Devices Remain Unprotected

The most severe vulnerability, CVE-2023-24033, was addressed by the March software update for the Pixel 7, and the Pixel 6 and 6a will receive this update later this month. However, Samsung and Vivo devices remain unprotected, despite Samsung being informed of the issue 90 days ago by Project Zero researchers.

Project Zero’s Advice to Users

Project Zero advises users who want to safeguard their devices from baseband remote code execution vulnerabilities to turn off both Wi-Fi calling and Voice-over-LTE (VoLTE) until a patch is made available. Since the four critical bugs are easy to exploit, the group has decided to make an exception to its disclosure policy by not revealing additional details that could make a hacker’s job easier.