Over a dozen zero-day bugs rooted in Samsung’s Exynos chipsets and used in a bevy of devices ranging from Android handsets, wearables and in-car infotainment systems are vulnerable to attack, according to Google’s Project Zero.
Researchers warn 18 zero-day vulnerabilities, each with a CVSS severity rating of high, could allow a range of attacks, the most severe allowing adversaries to remotely compromise a phone at the baseband level with no user interaction. The only prerequisite for the attack is knowing the target’s phone number.
Samsung’s Exynos chipsets
The class of flaws are baseband remote code execution vulnerabilities and impact Samsung’s Exynos chipsets. The chipsets are tied to Samsung’s use of Wi-Fi calling and Voice-over-LTE (VoLTE) within the Android operating system.
“The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution,” wrote Google’s research team.
Baseband is a type of transmission signal used by telecommunication devices (phones, wearables and telematics) that is similar to broadband. Where broadband uses radiofrequency, baseband uses bidirectional digital signaling at higher frequencies.
“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Google said.
Affected devices include those running Exynos chipsets and include:
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series; Mobile devices from
Read more