Samsung’s Exynos chips, which are not only used in Samsung smartphones and smartwatches but also in other manufacturers’ devices, have been found to have 18 zero-day vulnerabilities. These zero-day vulnerabilities are particularly dangerous as they allow external programs from the Internet to be executed on a mobile device, provided the attacker knows the phone number. Four of the vulnerabilities have been classified as critical, as they allow “Internet-to-Baseband Remote Code Execution.” This would enable attackers to run software from the Internet on the attacked modem without user intervention or notice.
The vulnerabilities were found in late 2022 and early 2023, affecting Exynos Modem 5123 and 5300, Exynos 980 and 1080, and Exynos Auto T5123. Devices that are most likely to be vulnerable include Samsung smartphones of the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series, Vivo-S16, S15, S6, X70, X60 and X30 series smartphones, Google’s Pixel 6 and 7, wearables with Exynos W920 chips, and vehicles with Exynos T5123 chips.
There are only a few patches available, and most of them are not yet publicly available, and users cannot install them themselves. For affected Pixel devices, Google has addressed CVE-2023-24033 in the March 2023 security update, but users should manually search for the update in the settings until it is suggested by the system. In the absence of a patch, Google’s Project Zero recommends disabling WLAN telephony and Voice-over-LTE in the settings to eliminate the risk of exploiting these vulnerabilities.
Due to the high risk posed by the zero-day vulnerabilities, Google’s Project Zero has released the information ahead of schedule, despite its policy of only publishing security gaps with a delay of 30 days after the update is available. Additionally, the vulnerabilities ranged from critical to less threatening, with 14 other vulnerabilities being found that were classified as less dangerous. These vulnerabilities still pose a risk but would require manual access to the device or a malicious wireless service provider to be exploited.
