Galaxy S22 & Pixel 7 in danger as a consequence of essential Exynos vulnerabilities

Safety researchers at Google‘s Challenge Zero workforce have found a number of severe zero-day vulnerabilities on Samsung’s Exynos modems. The vulnerabilities affect dozens of smartphones and wearables from Samsung, Google, and Vivo. The Galaxy S22 sequence, Galaxy A53, Galaxy A33, Pixel 6 sequence, Pixel 7 sequence, Vivo X70 sequence, and the Vivo S16 sequence are among the many many affected devices.

In a present weblog publish, Challenge Zero revealed that they’ve discovered 18 zero-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. 4 of those are important flaws that will end in Web-to-baseband distant code execution if exploited inside the wild. A distant attacker would solely require to know the sufferer’s cellphone amount to compromise a cellphone on the baseband diploma with no shopper interaction. These vulnerabilities aren’t too powerful to reap the benefits of, the researchers concluded.

The remaining 14 vulnerabilities aren’t as excessive, though. They require “both a malicious cellular community operator or an attacker with native entry to the system”. Challenge Zero reported these vulnerabilities to Samsung between late 2022 and early 2023. It’s been higher than 90 days given that researchers submitted among the many research nevertheless the Korean company has however to patch any of the failings.

Full itemizing of devices affected by these Exynos vulnerabilities

These zero-day vulnerabilities affect over a dozen Samsung smartphones, along with the Galaxy S22, Galaxy M33, Galaxy M13, Galaxy M12, Galaxy A71, Galaxy A53, Galaxy A33, Galaxy A21, Galaxy A13, Galaxy A12, and Galaxy A04 sequence.

Google, which started using Samsung-made Tensor chips in Pixel smartphones in 2021, has moreover found all present Pixel fashions vulnerable, i.e. Pixel 6 and Pixel 7 sequence. Affected Vivo devices embrace the Vivo S16, Vivo S15, Vivo S6, Vivo X70, Vivo X60, and the Vivo X30 sequence.

Moreover, any wearable product that features the Exynos W920 chipset will also be vulnerable to these security flaws. Samsung’s Galaxy Watch 4 and Galaxy Watch 5 sequence are amongst them. Lastly, these Exynos modem vulnerabilities moreover affect cars using the Exynos Auto T5123 chipset. In keeping with the official launch from Challenge Zero, Google’s March substitute for Pixel devices patches the issues.

The substitute is already obtainable for the Pixel 7 sequence nevertheless the Pixel 6 sequence continues to be awaiting it. The vulnerabilities seemingly keep unpatched on completely different affected devices.

As a quick security measure, Challenge Zero’s head Tim Willis advises clients to indicate off Wi-Fi calling and Voice-over-LTE (VoLTE). It will “take away the exploitation danger of those vulnerabilities” on affected devices. Sadly, these choices are necessary for a lot of people. We hope Samsung will patch these flaws on its Exynos modems earlier than later.