18 Zero-Day Vulnerabilities Discovered in Samsung Exynos Chipsets: Protect Yourself Now

Google's Project Zero team recently uncovered 18 zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars.^[0] Of the 18, four of them are of the most severe kind that can allow remote code execution. Google's Pixel 6 and Pixel 7 series, Samsung phones, and wearables are all affected by the vulnerability.^[1] Until patches are released, users are advised to switch off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to reduce the risk of exploitation.

The four most severe vulnerabilities among the 18 discovered by the Project Zero team allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and only require the attacker to know the victim's phone number.^[2] With minimal additional research and development, skilled attackers could create an operational exploit to silently and remotely compromise affected devices.^[2]

The list of Exynos chipsets that are vulnerable to these exploits can be found in the advisory published by Samsung Semiconductor.^[3] Affected devices include the Galaxy S22, Galaxy M33, Galaxy M13, Galaxy M12, Galaxy A71, Galaxy A53, Galaxy A33, Galaxy A21, Galaxy A13, Galaxy A12, Galaxy A04 series, any wearables using the Exynos W920 chipset, and any vehicles using the Exynos Auto T5123 chipset.^[0]

Google has already addressed one of the issues in the March 2023 Patch for its Pixel devices.^[4] However, the update has yet to reach the Pixel 6, Pixel 6 Pro, and Pixel 6a, leaving them still vulnerable to attack.^[4] Samsung also released the March security update for its flagship models as part of its Security Maintenance Release (SMR), which includes patches from Google and Samsung.^[5]

Those with affected devices can defend themselves from the remote code execution vulnerabilities related to the baseband by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in the device settings. As always, Google encourages end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.^[3]

0. “Samsung hasn't patched a critical bug affecting many Galaxy phones with Exynos chips” SamMobile – Samsung news, 17 Mar. 2023, https://www.sammobile.com/news/galaxy-phones-risk-bug-exynos-chip/

1. “Google: turn off Wi-Fi Calling and VoLTE in Pixel/Samsung devices affected by major security issues” Ghacks, 17 Mar. 2023, https://www.ghacks.net/2023/03/17/google-turn-off-wi-fi-calling-and-volte-in-pixel-samsung-devices-affected-by-major-security-issues/

2. “Google warns users of 18 bugs in mass-level Android phones” Social News XYZ, 17 Mar. 2023, https://www.socialnews.xyz/2023/03/16/google-warns-users-of-18-bugs-in-mass-level-android-phones

3. “Zero-day vulnerabilities in Exynos chipset allow hacking Samsung, Vivo and Pixel phones” Information Security Newspaper, 16 Mar. 2023, https://www.securitynewspaper.com/2023/03/16/zero-day-vulnerabilities-in-exynos-chipset-allow-hacking-samsung-vivo-and-pixel-phones

4. “Google warns against severe security risks on Galaxy S22, Pixel 6, more” Android Authority, 17 Mar. 2023, https://www.androidauthority.com/google-project-zero-samsung-exynos-vulnerabilities-3299355/

5. “Samsung Galaxy owners issued urgent warning to download ‘critical' Android update today” Daily Record, 10 Mar. 2023, https://www.dailyrecord.co.uk/lifestyle/samsung-galaxy-owners-issued-urgent-29421226