New Samsung 0-Click Security Threat Alert, Disable Wi-Fi Calling Now
Elite security researchers, part of the Google Project Zero team, have uncovered a total of 18 zero-days impacting devices that use Samsung Exynos modems. That’s worth repeating again: 18 zero-day vulnerabilities. Of these, four allow for what is known as internet-to-baseband remote code execution. In other words, a successful attack would involve no user interaction, a zero-click attack, and require the attacker only to know the target telephone number. What’s more, this silent and remote attack could give the threat actor access to the data flowing through the built-in Exynos modems, including calls and text messages. All without the user clicking on anything, installing anything, and without them knowing it was happening.
What has Google Project Zero disclosed?
Tim Willis, head of Project Zero, posting to the Project Zero blog on 16 March, revealed that between late last year and early this, the Project Zero team reported a total of 18 zero-day vulnerabilities concerning Exynos modems to Samsung. Of these, CVE-2023-24033 and three others yet to be assigned a CVE number were deemed the most serious. These are the ones that allow that code execution at the internet-to-baseband level to be executed ‘silently and remotely.’
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number,” Willis posted. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
What devices are impacted by CVE-2023-24033?
A Samsung Semiconductor security update lists the following chipsets as being affected by the zero-days:
- Exynos 850
- Exynos 980
- Exynos 1080
- Exynos 1280
- Exynos 2200
- Exynos Modem 5123
- Exynos Modem 5300
- Exynos Auto T5123
Meanwhile, Project Zero lists the following products as likely to be impacted:
- Mobile devices from Samsung: S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Mobile devices from Vivo: S16, S15, S6, X70, X60 and X30 series
- Mobile devices from Google: Pixel 6 and Pixel 7 series
- Any wearables that use the Exynos W920 chipset
- Any vehicles that use the Exynos Auto T5123 chipset
It should be noted that some devices, such as the Samsung S22 series, sold outside of Europe will likely be using the Qualcomm chipset and modem rather than Exynos, and so not affected by this security alert.
What do Samsung and Google Pixel owners need to do?
While the Google Pixel devices are already protected by the March 2023 security update, the Samsung ones have yet to be patched, despite the researchers giving the company 90 days to do so.
Google Project Zero has warned that given the seriousness of the threat, users should protect themselves by “turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings” until a security patch is available.
I have reached out to Samsung for a statement regarding when users can expect to see the vulnerabilities patched. I will update this article as soon as I have heard back.