The vulnerabilities were discovered in late 2022 and early 2023, and four of the eighteen vulnerabilities are considered the most critical, as they allow remote code execution with just the victim’s phone number. Only one of the most severe exploits has a publicly assigned Common Vulnerabilities and Exposures (CVE) number, with Google withholding a number of CVEs associated with this vulnerability in a rare exception to normal bug protocol.
The following devices are affected according to Google’s Project Zero.
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google; and
- all vehicles using the Exynos Auto T5123 chipset.
This bug has been fixed in the March security update that the Pixel 7 series already has. However, the Pixel 6 series doesn’t have it yet, and Google says users using unpatched devices should disable VoLTE and Wi-Fi Calling. Tim Willis, the head of Project Zero, said that “with limited additional research and development, we believe that skilled attackers will quickly be able to create an operational exploit to compromise affected devices silently and remotely.” In other words, a user can have their device compromised and potentially not even know about it, and it looks like it could also be pretty easy for some attackers to find and exploit.
As for the major exploit we have information about, CVE-2023-24033, its description simply says that the affected baseband modem chipsets “do not properly check format types specified by the Session Description Protocol (SDP) module, which could lead to a denial of service attack. ” A denial of service attack in this context typically means that a hacker can remotely lock your phone and prevent you from using it, although no further details are provided.
The other fourteen vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine others pending CVEs) are still not critical. to the end user. For successful exploitation, they require “either a malicious mobile network operator or an attacker with local access to the device.”
For users waiting for an update and using an affected device, make sure to disable VoLTE and Wi-Fi calling for now. If you have the March security update available but haven’t updated yet, it might be time to do so.
Source: Google Project Zero