And it’s not just Samsung’s own phones and devices that are affected — though some users may be able to patch away some of the worst security issues.
As per Google’s Project Zero security team, there’s a big old flaw in Samsung’s Exynos modems that could allow remote attackers — folks with bad intent on the internet, and there’s plenty of those out there — to remotely execute code with little more than a sent SMS to an unpatched device.
Or in other words, a level of phone or device takeover that would need little more than your phone number. Which is, of course, not good at all.
In total, the Project Zero team identified 18 0-day vulnerabilities in Exynos modems, with the four most severe being able to execute remote code with just a phone number. As per Google’s Tim Willis
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
Ouch indeed.
Which devices are affected? Is this just a Samsung problem?
To the second question, nope. Samsung makes a lot of parts for a lot of phone makers — many iPhone screens are, for example, actually Samsung parts — and the Project Zero post identifies the following devices as being affected:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- The Pixel 6 and Pixel 7 series of devices from Google
- vehicles that use the Exynos Auto T5123 chipset.
That’s just what they’ve identified and made public of course; it’s feasible (but not yet confirmed) that the issue may track further than this.
I’ve got one of those devices. What can I do to keep my device and data safe?
Wait for patches, mostly.
Google notes that the March 2023 update for Pixel devices fixes one of the four most egregious security issues, though not the other three at this time.
It’s not clear when or if we’ll see patches for the other Samsung devices or Vivo phones. I’m genuinely not sure if there are cars on Australian roads using that Exynos Auto chipset (it’s not my specialty area), but that too would need some level of patching.
It’s worth noting that while Google has identified that the flaws exist, it’s not detailing what the specifics are. That’s smart. Why let the bad people know how they can hack phones?
In the meantime, however, if you are concerned, the way to temporarily block access to the exploit is, as per Google, to disable Voice over LTE and Wi-Fi calling features on affected devices. Which means logically the flaws must be there in some way.
What that will most likely do is potentially degrade your voice quality for phone calls, because VoLTE and Wi-Fi calling often kick in as replacements in areas where actual mobile signal is low. That isn’t ideal — but it feels like it’s a whole lot better than having your phone hacked.
Alex’s Take:
It’s never a good thing when vulnerabilities in communications hardware is discovered, in one sense.
But it’s understandable — the software and hardware is complex and software all but inevitably has bugs and issues.
At least making people aware of these issues — and, critically patching them — can lead to more secure devices down the track, as long as actual updates are made available.
On the Android side of things, I wouldn’t be 100% shocked to see Google implement as many of these updates as possible into full Android security updates rapidly — though again, for third party devices the speed at which those updates arrives can vary quite widely.
