The Project Zero team on Google, which focuses on security research, found vulnerabilities in Exynos modems that could put the users of affected devices at risk of being hacked. Some of the affected devices include Pixel 6 and 7 as well as Galaxy S22 and A53.
Vulnerabilities in the Modem
Project Zero found 18 zero-day vulnerabilities in Exynos modems between late 2022 to early 2023. The modems in question are produced by Samsung Semiconductor. It was noted that hackers can easily access affected models until Samsung presents a fix for its modems.
Among the 18 vulnerabilities, four of them may subject users to severe risks since they can allow hackers to execute code remotely at the baseband level without the need of interacting with the user. All the threat actor will need is the potential victim's phone number.
As mentioned in the Project Zero blog post, all that is needed aside from the phone number is limited additional research and development, and skilled hackers could quickly create an operational exploit to remotely compromise the affected devices.
Project Zero has a 90-day deadline by which they release information about the vulnerabilities to the public. They have already disclosed five vulnerabilities from the 18, while the other nine are to remain confidential since they haven't reached the 90-day mark yet.
However, the security team chose not to disclose the four severe potential exploits since in this rare case, threat actors may benefit more from the disclosed information. There is a huge risk of hackers quickly creating operational exploits due to the rare combination of levels of access.
The vulnerabilities will still be disclosed, but Project Zero will be making a policy exception and subject the disclosure of information to a delay. The policy in question is the 90-day disclosure deadline policy which marks the release of detailed technical descriptions of the issue.
Affected Devices and How to Minimize Risk
The devices affected by the mentioned vulnerabilities have Exynos chipsets, which are the following:
Samsung
Galaxy S22
Galaxy M33
Galaxy M13
Galaxy M12
Galaxy A71
Galaxy A53
Galaxy A33
Galaxy A21
Galaxy A13
Galaxy A12
Galaxy A04
Vivo
S16
S15
S6
X70
X60
X30
Wearables
Any wearables that use the Exynos W920 chipset
Vehicles
Any vehicles that use the Exynos Auto T5123 chipset
Project Zero advised that in order to avoid baseband remote code execution vulnerabilities with the Exynos chipsets, users can turn off Wi-Fi calling and Voice-over-LTE in their device settings, as these will remove the risk of exploitation until security updates are implemented.
Although, many of the Galaxy S22 owners are safe from the potential exploit. Phones sold outside of Europe as well as in select African countries use Qualcomm processors and Qualcomm modems, as mentioned in The Verge.
It's also possible that the Galaxy S21 and Galaxy S22 are safe, given that Samsung uses Qualcomm modems for the mentioned phone models globally, while older ones that use the Exynos chip are not included in the disclosed affected chips.
