Google’s Project Zero security research team has discovered 18 security issues related to Samsung’s Exynos chipset used in smartphones, mobile devices, wearables and cars.
Four of the 18 reported vulnerabilities are critical and could let cybercriminals hack smartphones remotely, using only the user’s phone number.
Tim Willis, head of Project Zero, said tests conducted by the company confirmed that these four vulnerabilities allow an attacker to “remotely compromise a phone at the baseband level without user interaction”.
“With limited additional research and development, we believe that skilled attackers would quickly be able to create an operational exploit to compromise affected devices silently and remotely,” Willis said.
However, the report revealed that the other 14 vulnerabilities are not as serious as they require either a malicious mobile network operator or an attacker with local access to the device.
Affected mobile devices include South Korean company Samsung’s phones in S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04.
Other devices include Chinese brand Vivo’s S16, S15, S6, X70, X60 and X30 series phones; Google’s Pixel 6 and Pixel 7 series phones; and all vehicles using the Exynos Auto T5123 chipset.
Under its standard disclosure policy, Project Zero discloses security vulnerabilities to the public at a specified time after reporting them to a software or hardware vendor.
It is still not clear.
Project Zero researchers expect that patch timelines will vary from manufacturer to manufacturer. For example, affected Pixel devices have already received a security update this month. Although Google has already fixed the issues for the Pixel 7 series phones, the update has not reached the Pixel 6 series phones yet.
In the meantime, Google recommends that users with affected devices can protect themselves from the vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. VoLTE is how phones and carriers transmit our voices during a call.
“We encourage end users to update their devices as soon as possible to ensure they are running the latest builds that address both disclosed and undisclosed security vulnerabilities,” Willis said.
Samsung, which was the largest smartphone maker last year, and other vendors have yet to resolve the issues affecting the Exynos chips.
Last September, Samsung said it suffered a cybersecurity breach in July that exposed the personal information of some customers in the United States.
Updated: March 18, 2023 at 04.00