Google Project Zero has highlighted a set of dangerous security flaws in Samsung’s Exynos chips, which can be exploited without any user interaction, and grant a threat actor complete control of devices, ranging from Android smartphones to wearables and vehicles.
18 Zero-Days in Exynos W920 Chipset and the Exynos Auto T5123 Chipset
The 18 zero-day vulnerabilities involve the Exynos W920 chipset and the Exynos Auto T5123 chipset. Of the 18 flaws, four could be used to enable internet-to-baseband remote code execution, as reported by Google Project Zero in late 2022 and early 2023. According to Tim Willis, head of Google Project Zero, these four vulnerabilities permit an attacker to remotely access a phone at the baseband level simply by knowing a victim’s phone number.
CVE-2023-24033
Of these, the four most severe (CVE-2023-24033 and three others yet to be assigned CVE-IDs) enabled remote code execution via Internet-to-baseband. According to National Vulnerability Database’s description of CVE-2023-24033, The Session Description Protocol (SDP) module’s format types are not properly checked by the Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets, resulting in a potential denial of service.
Tests by Project Zero confirmed that these could allow an attacker to remotely compromise a phone at the baseband, only requiring their victim’s phone number. Skilled attackers could likely create an exploit to silently and remotely do so with minimal additional research and development. The remaining fourteen vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine others yet to be assigned CVE-IDs) were not as severe, as they either necessitated a malicious mobile network operator or an attacker with local access to the device.
Users of Pixel 6 and 7 handsets have already received a fix with the March 2023 security updates. However, when other devices will receive their patches is up to the manufacturer’s schedule. To reduce the risk of being exposed to the flaws, users are advised to turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings.
What Is a Zero-Day?
A “zero-day vulnerability” is a security flaw in software or hardware that is unknown to the public and has not yet been addressed by the software/hardware developer. This means that the vulnerability can be exploited before anyone is aware of it, making it a “zero-day” exploit. The exploit can cause various problems before it is detected, making it particularly dangerous.