Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs

Trending 6 months ago
  1. Home
  2. Patches
  3. Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs

Google information analysts person warned Android instrumentality users that respective zero-day vulnerabilities successful immoderate Samsung chipsets could let an attacker to wholly hijack and remote-control their handsets knowing conscionable nan telephone number.

Between precocious 2022 and early this year, Google's Project Zero recovered and reported 18 of these bugs successful Samsung's Exynos cellular modem firmware, according to Tim Willis, who heads nan bug-hunting team.

Four of nan 18 zero-day flaws tin let internet-to-baseband distant codification execution. The baseband, aliases modem, information of a instrumentality typically has privileged low-level entree to each nan hardware, and truthful exploiting bugs wrong its codification tin springiness an intruder afloat power complete nan telephone aliases device. Technical specifications of these holes person been withheld for now to protect users of susceptible gear.

"Tests conducted by Project Zero corroborate that those 4 vulnerabilities let an attacker to remotely discuss a telephone astatine nan baseband level pinch nary personification interaction, and require only that nan attacker cognize nan victim's telephone number," Willis wrote successful a breakdown of nan information flaws. 

Skilled attackers would beryllium capable to quickly create an operational utilization to discuss affected devices silently and remotely

"With constricted further investigation and development, we judge that skilled attackers would beryllium capable to quickly create an operational utilization to discuss affected devices silently and remotely," he added.

One of these 4 terrible bugs has been assigned a CVE number, and it's tracked arsenic CVE-2023-24033. The different 3 are awaiting bug IDs.

The different 14 issues aren't arsenic terrible and require "either a malicious mobile web usability aliases an attacker pinch section entree to nan device," according to Willis. These see CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and 9 different vulnerabilities that haven't yet been assigned identifiers.

According to Google, nan pursuing devices usage perchance susceptible Exynos modems: Samsung's S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 products; Vivo mobile devices including nan S16, S15, S6, X70, X60 and X30 series; nan Pixel 6 and Pixel 7 bid of devices from Google; and vehicles that usage nan Exynos Auto T5123 chipset.

Google issued a hole for CVE-2023-24033 affecting Pixel devices successful its March information update. Until nan different manufacturers plug nan holes, Willis suggests turning disconnected Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against baseband distant codification execution, if you're utilizing a susceptible instrumentality powered by Samsung's silicon.

And, arsenic always, spot your gadgets arsenic soon arsenic nan package updates go available.

  • Microsoft: Patch this terrible Outlook bug that Russian miscreants exploited
  • Here's really Chinese cyber spies exploited a captious Fortinet bug
  • Google euthanizes Chrome Cleanup Tool because it nary longer has a purpose
  • Apple splats zero-day bug, different gremlins successful macOS, iOS

Google's squad — and most information researchers — adhere to a 90-day disclosure timeline, meaning aft they study nan bug to nan hardware aliases package vendor, nan vendor has 90 days to rumor a fix. After that, nan researchers disclose nan flaw to nan public.

However, successful immoderate very uncommon and captious cases, wherever nan "attackers would use importantly much than defenders if a vulnerability was disclosed," nan bug hunters make an objection and hold disclosure, Willis noted. That's nan lawsuit pinch nan 4 zero-days that let for internet-to-baseband RCE.

Of nan 14 remaining little terrible flaws, Project Zero disclosed 4 that exceeded its 90-day deadline. The different 10 will beryllium released to nan nationalist if they deed nan 90-day people without fixes, Willis added. ®

Related Article

Apple squashes security bugs after iPhone flaws exploited by Predator spyware

Apple squashes security bugs after iPhone flaws exploited by Predator spyware

4 days ago
Grab those updates: Microsoft flings out fixes for already-exploited bugs

Grab those updates: Microsoft flings out fixes for already-exploited bugs

2 weeks ago
Google's Chrome gets caught with its WebP down, offers hasty patch-up

Google's Chrome gets caught with its WebP down, offers hasty patch-up

2 weeks ago
You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks

You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks

3 weeks ago
Ivanti Sentry exploited in the wild, patches emitted

Ivanti Sentry exploited in the wild, patches emitted

1 month ago
Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild

Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild

1 month ago

Popular Article

Ransomware attack hits Sri Lanka government, causing data loss

Ransomware attack hits Sri Lanka government, causing data loss

2 weeks ago
Mesothelioma lawyers near me

Mesothelioma lawyers near me

1 week ago
Morgan Stanley values Tesla's super-hyped supercomputer at up to $500B

Morgan Stanley values Tesla's super-hyped supercomputer at up to $500B

2 weeks ago
Google thinks $20M ought to be enough to figure out how or if AI can be used responsibly

Google thinks $20M ought to be enough to figure out how or if AI can be used responsibly

2 weeks ago
Arm IPO to kick off today with company valued at $54.5 billion

Arm IPO to kick off today with company valued at $54.5 billion

1 week ago
MGM Resorts shuts down website, computer systems after 'cybersecurity incident'

MGM Resorts shuts down website, computer systems after 'cybersecurity incident'

2 weeks ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
Terms & Conditions · Disclaimers · DMCA · Privacy Policy ·

©2023 1BIGTENT.
All Rights Reserved.