Google’s Project Zero team, which searches for zero-day vulnerabilities, has discovered over 18 zero-day vulnerabilities in Samsung Exynos chipsets, commonly used in smartphones, portable devices, and cars. Despite reports of security issues in Exynos dating back to the end of 2022, many remain unfixed as of December 2022.
According to Tim Willis, the head of Project Zero, attackers only need the victim’s phone number to execute an attack, making it easier for hackers. Experienced hackers can easily create an exploit that remotely compromises vulnerable devices without alerting victims. Of the 18 vulnerabilities found, four are critical RCE-vulnerabilities, enabling the remote execution of malicious code. The other 14 vulnerabilities, while non-critical, still pose some level of risk and require local access or a malicious mobile operator.
The range of impacted devices is extensive and includes the below models:
• Samsung smartphones, including S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04
• Vivo mobile devices, including S16, S15, S6, X70, X60, and X30
• Google Pixel 6 and 6 Pro, Pixel 6A, Pixel 7 and 7 Pro
• Any wearable devices on the Exynos W920
• Any cars using the Exynos Auto T5123 chipset
While Samsung has provided a correction for their devices, it cannot be applied by all affected users. Currently, only Google has corrected the vulnerability (CVE-2023-24033) for Pixel devices, with security updates rolled out in March 2023. Other manufacturers are expected to create updates as they become available. In the interim, users are recommended to disable Wi-Fi and Volte calls to eliminate the attack vector.