Google’s security research team has identified vulnerabilities in Samsung chips, which are present in numerous Android devices, wearables, and automobiles. The team is concerned that these flaws may be discovered and exploited soon.
According to a recent blog post by Google’s Project Zero head, Tim Willis, the company’s security researchers discovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos modems over the past few months. Among these vulnerabilities were four critical flaws that have the potential to silently and remotely compromise affected devices via the cellular network.
An attacker who can remotely run code at a device’s baseband level, which refers to the Exynos modems responsible for converting cell signals to digital data, could potentially gain unrestricted access to the data transmitted to and from the affected device. This includes cellular calls, text messages, and cell data, all of which could be accessed without alerting the device’s owner.
It’s uncommon for Google, or any security research firm, to warn the public about high-severity vulnerabilities before they are patched. In this case, Google explicitly mentioned the danger posed to the public, stating that skilled attackers could quickly develop an operational exploit with minimal research and effort.
According to a tweet by Project Zero researcher Maddie Stone, Samsung was given a 90-day deadline to fix the bugs, but has not done so yet.
Samsung acknowledged the vulnerabilities in several Exynos modems in a security listing released in March 2023, which could affect several Android device manufacturers. However, the company did not disclose many other details about the issue.
Google advised users to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to mitigate the risk of exploitation until affected manufacturers release software updates for their customers.
According to Google, the other 14 vulnerabilities were less severe, as they either required access to a device or insider/privileged access to a cell carrier’s systems.
