Samsung, Vivo, Google phones open to remote compromise without user interaction

Several vulnerabilities in Samsung’s Exynos chipsets may allow attackers to remotely compromise specific Samsung Galaxy, Vivo and Google Pixel mobile phones with no user interaction.

“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Google Project Zero researchers have noted.

Therefore, they decided to go public before before the end of their usual 90-day non-disclosure deadline and share mitigation advice to help users protect themselves until patches are made widely available.

About the vulnerabilities

Researchers Natalie Silvanovich, Ivan Fratric, Felix Wilhelm, Ian Beer and Jann Horn found a total of 18 vulnerabilities affecting a variety of Samsung Exynos chipsets, which are included in:

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
• The Pixel 6 and Pixel 7 series of devices from Google; and
• Any vehicles that use the Exynos Auto T5123 chipset.

No details have been disclosed about the four critical vulnerabilities that allow baseband remote code execution (CVE-2023-24033 and three currently without a CVE-IDs).

The rest of the related vulnerabilities (CVE-2023-26072 to CVE-2023-26076 + 9 without a CVE-ID) are less severe, “as they require either a malicious mobile network operator or an attacker with local access to the device,” according to Tim Willis, Head of Project Zero.

How to mitigate the risk of a remote compromise?

If you’re using one of the affected devices, you can protect yourself from by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in your device settings, Willis shared.

Wi-Fi calling uses a wireless internet connection instead of cellular signal to carry out voice calls and it comes handy in areas with poor or no cellular coverage. VoLTE uses 4G LTE networks instead of 2G or 3G networks to carry out calls, which allows for a higher-quality audio during calls and the user to do things like browse the web or send and receive messages while on a phone call.

Turning off Wi-Fi calling and VoLTE until you can implement patches for those vulnerabilities means experiencing poorer service or even being unable to make phone calls depending on where you are and whether available carriers have already stopped offering 2G and 3G services.

Whether you can afford to switch off Wi-Fi calling and VoLTE or not, keep an eye for patches and implement them as soon as they are made available. Google has already pushed out a fix for CVE-2023-24033.