Project Zero, Google’s dedicated security research team, has found major issues in Samsung modems that power devices like the Pixel 6, Pixel 7, and some Galaxy S22 and A53 models. According to his blog post, a variety of Exynos modems have a series of vulnerabilities that could “allow an attacker to remotely compromise a phone at the baseband level without user interaction” without requiring much more than the phone number of the victim. And, frustratingly, it looks like Samsung is dragging its feet on fixing it.
The team also warns that experienced hackers could exploit the problem “with only limited additional research and development”. Google says the March security update for Pixels should fix the problem – however 9to5Google Remarks that it’s not yet available for the Pixel 6, 6 Pro and 6a (we also checked on our own 6a and there was no update). The researchers say they believe the following devices may be at risk:
It should be noted that for devices to be vulnerable, they must use one of the affected Samsung modems. For many S22 owners, this might be a relief – phones sold out Europe and some African countries have a Qualcomm processor and also use a Qualcomm modem, so should be safe from these specific issues. But phones with Exynos processors, like the popular mid-range A53and European S22, could be vulnerable.
In theory, the S21 and S23 are safe – newer Samsung flagships use Qualcomm worldwide, and older ones with Exynos chips use a modem that doesn’t appear on List of affected chips from Samsung.
If you know your phone is using one of the vulnerable modems and you’re concerned that it could be exploited (remember that attacks could “compromise affected devices silently and remotely”), Project Zero says you can protect you by turn off Wi-Fi calling And Voice over LTE. Yes, your calls will be worse, but it’s probably worth it.
Traditionally, security researchers wait until a patch is available before announcing they’ve found the bug, or until some time has passed since they reported it without any patch in seen. It seems to be the last case here – as Tech Crunch RemarksMaddie Stone, Project Zero researcher tweeted that “end users still don’t have fixes 90 days after the report”, which seems to be an incentive for Samsung and other vendors that they need to fix the problem.
Samsung did not immediately respond to The edgerequesting comment on why there doesn’t seem to be a fix yet.
In total, Project Zero found 18 vulnerabilities in modems. Four are the very bad ones that allow “remote code execution from the Internet to baseband”, and Google says it doesn’t share additional information about these at this time, despite its policy of usual disclosure. (Again, due to the fact that he thinks they could very easily be exploited.) The others were more minor, requiring “either a malicious mobile network operator or an attacker with local access to the device. “. To be clear, it’s still not great – we’ve seen the fragility of carrier security maybe – but at least they’re not as bad as the others.
