A woman tries out a Samsung Electronic's Galaxy A50 at a Samsung store in Seoul, South Korea, November 14, 2019. November 14, 2019.
A woman tries out a Samsung Electronic's Galaxy A50 at a Samsung store in Seoul, South Korea, November 14, 2019. November 14, 2019. Reuters / KIM HONG-JI

KEY POINTS

  • Eighteen severe zero-day vulnerabilities were found in Samsung Exynos chipsets from 2022 to 2023
  • Four of these allowed attackers to access devices silently and remotely with just the users' numbers
  • Samsung has provided a list of Exynos chipsets that are vulnerable to the 18 exploits

Google has warned that some of its smartphones running the company's own Android operating system, as well as other devices from manufacturers such as Samsung and Vivo, could be accessed by third-party actors without owners ever becoming aware of such a breach.

A total of 18 zero-day vulnerabilities, or exploits previously only known to those who executed them, were reported in some of Samsung's Exynos-branded modems between late 2022 and early 2023, Project Zero, Google's in-house bug-finding team, announced in a Thursday blog post.

The four most severe vulnerabilities, one of which Project Zero revealed was classified as CVE-2023-24033, while the rest have yet to be given labels, supposedly allowed for Internet-to-baseband remote code execution.

The team said that with these four exploits, attackers can gain access to data going in and out of a device's modem, including phone calls and text messages, just by having the user's phone number.

"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," the cybersecurity team stated.

"With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely," Project Zero noted.

The 14 remaining reported vulnerabilities, CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine others that have yet to be assigned CVE-IDS, were not as severe as they were found to have required either a malicious mobile network operator or an attacker with local access to the device.

Project Zero chose to withhold disclosing the four vulnerabilities that allowed for Internet-to-baseband remote code execution "due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted," according to the blog post.

Samsung's semiconductor subsidiary has provided a list of Exynos chipsets that are vulnerable to the aforementioned exploits.

Among the affected devices were models from Samsung's own Galaxy series of smartphones, including the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04, according to Project Zero.

The vulnerabilities were also present in Google's Pixel 6 and Pixel 7 series of devices as well as phones from Vivo's S16, S15, S6, X70, X60 and X30 series.

Any wearables and vehicles that use the Exynos W920 and Exynos Auto T5123 chipsets, respectively, are also affected.

The timeline of delivery for patches to deal with the reported vulnerabilities will vary depending on the manufacturer, but users with affected devices can turn off Wi-Fi calling and Voice over LTE, or VoLTE, in their devices to remove the exploitation risk of these vulnerabilities, according to Project Zero.

The logo of Samsung Electronics is seen at its office building in Seoul
Reuters