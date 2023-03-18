



Google has discovered multiple zero-day vulnerabilities in Samsung’s Exynos modems that could potentially compromise a large number of Android devices without user interaction. Affected devices include smartphones, wearables and even vehicles.

A total of 18 zero-day vulnerabilities were discovered by security analysts on Google’s Project Zero team, as reported by TechCrunch (opens in new window). Four of them are critical enough to allow remote code execution from the Internet into the baseband. This means that an attacker can compromise a mobile phone with just the victim’s phone number and no user intervention is required.

Project Zero lead Tim Willis explains in a blog post (opens in a new window): remotely. ”

A vulnerability was discovered in the Exynos modem, affecting dozens of devices. Google has provided the following list of potentially infringed products.

Google’s own Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, and Pixel 7 Pro

S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series Samsung devices

S16, S15, S6, X70, X60, X30 series Vivo devices

Wearables using the Exynos W920 chipset

All vehicles using the Exynos Auto T5123 chipset

Maddie Stone, a security researcher on the Project Zero team, confirmed in a tweet(Opens in a new window) that Samsung has been given 90 days to release a patch, but the patch is still available. Not.

Due to the wide variety of devices affected by these vulnerabilities, patch timelines vary. Google has included a fix for Pixel devices in the March 2023 Security Update(Opens in a new window), but it must be installed and some Pixel models are still pending release (Pixel 6, Pixel 6 Pro, Pixel 6a). .

If you own one of the affected devices and don’t want to wait for a security patch, we recommend turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in your device settings. It’s also important to check if your device has any updates waiting to be installed.

Of the 14 other zero-day exploits found in Project Zero, Willis said they were “less serious because they required either a malicious mobile network operator or an attacker with local access to the device.” I’m here. However, Samsung needs to create patches to fix these security vulnerabilities as soon as possible.

