Google security teams have found 18 vulnerabilities in Samsung Exynos chips used in leading Android smartphones and wearables. According to the security team, these exploits put the devices at risk of a security breach.
Google security team's comments on dangerous vulnerabilities
According to Google's Project Zero Head, Tim Wills, the four most dangerous vulnerabilities 'allow for internet-to-baseband remote code execution'. The tests run by Google security teams confirmed that the four vulnerabilities could allow an attacker to remotely compromise a phone at the baseband level without user interaction. They only require a victim's phone number to do so. Google security researchers commented on the vulnerabilties found in the Samsung devices. They said, "We believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely."
"Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung's Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings," said Willis. If users turn off these settings, it will remove the exploitation risk of these vulnerabilities, he added.
List of affected devices by vulnerabilities in Samsung devices
The affected mobile devices are from Samsung, Vivo, and Google (Pixel 6 and Pixel 7 series). Furthermore, any wearables with the Exynos W920 chipset and vehicles with the Exynos Auto T5123 chipset are among the 'devices at risk'. Google's affected pixel devices have received a fix. However, the patch timelines for other brands will vary per manufacturer.
"As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities," said Google.
Based on the list of affected chipsets provided by Samsung, the list of affected devices includes but is likely not limited to:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google;
- Any wearables that use the Exynos W920 chipset; and
- Any vehicles that use the Exynos Auto T5123 chipset