In late 2022 and early 2023, Project Zero discovered a series of vulnerabilities in Exynos Modems produced by Samsung Semiconductor. These vulnerabilities pose a serious threat to mobile devices, potentially allowing attackers to compromise a phone at the baseband level with no user interaction. This article will provide information on the affected devices, patch timelines, and steps you can take to protect your phone from these vulnerabilities.
The Exynos modem vulnerabilities impact a wide range of mobile devices, including:
- Samsung’s S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series,
- Vivo’s S16, S15, S6, X70, X60, and X30 series,
- and the Pixel 6 and Pixel 7 series of devices from Google.
- additionally, any vehicles that use the Exynos Auto T5123 chipset may also be affected.
Severity of Vulnerabilities
Out of the eighteen 0-day vulnerabilities discovered, four (CVE-2023-24033 and three others not yet assigned CVE-IDs) are particularly severe, allowing for Internet-to-baseband remote code execution with no user interaction required. Attackers only need the victim’s phone number to compromise the device. The remaining fourteen vulnerabilities are not as severe, requiring either a malicious mobile network operator or local access to the device.
Patch timelines will vary by manufacturer, but it is essential to update your device as soon as possible. The Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update. Meanwhile, Samsung Semiconductor’s advisories provide a list of Exynos chipsets that are affected by these vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings.
Vulnerabilities Withheld from Disclosure
In rare cases where disclosing vulnerabilities would benefit attackers more than defenders, Project Zero delays disclosure to vendors. For the four vulnerabilities that allow for Internet-to-baseband remote code execution, disclosure has been delayed due to the level of access and the speed with which reliable operational exploits could be crafted. Project Zero will continue to disclose exceptions publicly and add these issues to the list once they are all disclosed.
Related Vulnerabilities Not Withheld: Of the remaining fourteen vulnerabilities, four have exceeded Project Zero’s standard 90-day deadline and have been publicly disclosed in the issue tracker (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, and CVE-2023-26075). The remaining ten vulnerabilities will be publicly disclosed if they are still unfixed after their 90-day deadline.
The Exynos modem vulnerabilities pose a significant risk to mobile devices, and it is essential to take steps to protect your device. Stay informed about patch timelines and update your device as soon as possible. Additionally, turning off Wi-Fi calling and VoLTE in your device settings can help protect you from the baseband remote code execution vulnerabilities. Remember to stay vigilant and take action to keep your device and data safe.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.