Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs

Trending 6 months ago

Google information analysts person warned Android instrumentality users that respective zero-day vulnerabilities successful immoderate Samsung chipsets could let an attacker to wholly hijack and remote-control their handsets knowing conscionable nan telephone number.

Between precocious 2022 and early this year, Google's Project Zero recovered and reported 18 of these bugs successful Samsung's Exynos cellular modem firmware, according to Tim Willis, who heads nan bug-hunting team.

Four of nan 18 zero-day flaws tin let internet-to-baseband distant codification execution. The baseband, aliases modem, information of a instrumentality typically has privileged low-level entree to each nan hardware, and truthful exploiting bugs wrong its codification tin springiness an intruder afloat power complete nan telephone aliases device. Technical specifications of these holes person been withheld for now to protect users of susceptible gear.

"Tests conducted by Project Zero corroborate that those 4 vulnerabilities let an attacker to remotely discuss a telephone astatine nan baseband level pinch nary personification interaction, and require only that nan attacker cognize nan victim's telephone number," Willis wrote successful a breakdown of nan information flaws. 

Skilled attackers would beryllium capable to quickly create an operational utilization to discuss affected devices silently and remotely

"With constricted further investigation and development, we judge that skilled attackers would beryllium capable to quickly create an operational utilization to discuss affected devices silently and remotely," he added.

One of these 4 terrible bugs has been assigned a CVE number, and it's tracked arsenic CVE-2023-24033. The different 3 are awaiting bug IDs.

The different 14 issues aren't arsenic terrible and require "either a malicious mobile web usability aliases an attacker pinch section entree to nan device," according to Willis. These see CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and 9 different vulnerabilities that haven't yet been assigned identifiers.

According to Google, nan pursuing devices usage perchance susceptible Exynos modems: Samsung's S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 products; Vivo mobile devices including nan S16, S15, S6, X70, X60 and X30 series; nan Pixel 6 and Pixel 7 bid of devices from Google; and vehicles that usage nan Exynos Auto T5123 chipset.

Google issued a hole for CVE-2023-24033 affecting Pixel devices successful its March information update. Until nan different manufacturers plug nan holes, Willis suggests turning disconnected Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against baseband distant codification execution, if you're utilizing a susceptible instrumentality powered by Samsung's silicon.

And, arsenic always, spot your gadgets arsenic soon arsenic nan package updates go available.

  • Microsoft: Patch this terrible Outlook bug that Russian miscreants exploited
  • Here's really Chinese cyber spies exploited a captious Fortinet bug
  • Google euthanizes Chrome Cleanup Tool because it nary longer has a purpose
  • Apple splats zero-day bug, different gremlins successful macOS, iOS

Google's squad — and most information researchers — adhere to a 90-day disclosure timeline, meaning aft they study nan bug to nan hardware aliases package vendor, nan vendor has 90 days to rumor a fix. After that, nan researchers disclose nan flaw to nan public.

However, successful immoderate very uncommon and captious cases, wherever nan "attackers would use importantly much than defenders if a vulnerability was disclosed," nan bug hunters make an objection and hold disclosure, Willis noted. That's nan lawsuit pinch nan 4 zero-days that let for internet-to-baseband RCE.

Of nan 14 remaining little terrible flaws, Project Zero disclosed 4 that exceeded its 90-day deadline. The different 10 will beryllium released to nan nationalist if they deed nan 90-day people without fixes, Willis added. ®