Google warned users regarding vulnerabilities found in certain Samsung chips including in dozens of Android devices, wearables and vehicles.
Google’s Project Zero head Tim Willis wrote in a blog post on Thursday that security researchers reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung from late 2022 to early 2023.
Four of the most severe vulnerabilities allowed for internet-to-baseband remote code execution, allowing an attacker to “remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number.”
“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Willis warned.
YOUTUBE RESTORES TRUMP’S CHANNEL, ABILITY TO UPLOAD NEW CONTENT AHEAD OF 2024 ELECTION
The 14 other vulnerabilities were not quite as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.
Willis said that the affected products likely include Samsung mobile devices in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series, as well as those from Vivo in the S16, S15, S6, X70, X60 and X30 series. Also included were the Pixel 6 and Pixel 7 series of devices from Google and any vehicles that use the Exynos Auto T5123 chipset.
BEST BROWSER ALTERNATIVES FOR THE ONCE-POPULAR, NOW-RETIRED INTERNET EXPLORER
Google said that patch timelines would vary per manufacturer. Project Zero researcher Maddie Stone tweeted that Samsung had 90 days to patch the bugs, but has not yet done so. The Pixel devices are already patched with the March security update.
In the meantime, users who wish to protect themselves from the baseband remote code execution vulnerabilities in the post can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings.
“As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities,” Willis added.