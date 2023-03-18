



Zoom / Image of the Samsung Galaxy S21 running on the Exynos chipset.

Google has released a critical vulnerability that gives owners of certain Android smartphones the ability to surreptitiously compromise their devices by skilled hackers by making specially crafted calls to their numbers. I am asking you to take urgent action. It is not clear if all requested actions are possible, but even if it is, this action will disable most voice-capable devices.

This vulnerability affects Android devices using Exynos chipsets manufactured by Samsung’s semiconductor division. Vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung smartphones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are vulnerable only if they run Exynos chipsets, which include baseband processing of voice call signals. The US version of the Galaxy S22 is powered by a Qualcomm Snapdragon chip.

The bug tracked as CVE-2023-24033 and three other bugs not yet given a CVE designation could allow hackers to execute malicious code, according to Google’s Project Zero Vulnerability Team. reported Thursday. Baseband code execution bugs can be particularly critical because the chip is granted root-level system privileges to ensure voice calls work.

Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user intervention, allowing the attacker to know the victim’s phone number. Just be there, writes Tim Willis of Project Zeros. With limited additional research and development, we believe skilled attackers can rapidly craft operational exploits to silently and remotely compromise affected devices.

Earlier this month, Google released a patch for vulnerable Pixel models. Samsung has released an update to patch CVE-2023-24033, but it has not yet been delivered to end users. There is no indication that Samsung has issued patches for his three other critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that allow access at the deepest level possible.

The threat prompted Willis to put the following advice at the top of Thursday’s post:

Until a security update is available, users wishing to protect themselves from the baseband remote code execution vulnerability in Samsungs Exynos chipsets should turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. can do. Turning off these settings removes the risk of these vulnerabilities being exploited.

The problem is that it’s not entirely clear whether VoLTE can be turned off, at least on many models. A screenshot of one of her S22 users posted on Reddit last year shows the option to turn off VoLTE is greyed out. That user S22 was running her Snapdragon chip, but the experience for users of Exynos-based phones is likely the same.

And even if VoLTE can be turned off, combined with turning off Wi-Fi, the phone can become more than a small tablet running Android. VoLTE came into widespread use a few years ago, and since then most North American carriers have stopped supporting older 3G and 2G frequencies.

A Samsung rep said in an email that the company released security patches for five of the six vulnerabilities that could affect some Galaxy devices in March, and will patch the sixth next month. The email did not answer questions asking if a patch was currently available for end users or if it would be possible to turn off VoLTE.

A Google representative, on the other hand, declined to provide specific instructions for implementing the advice in the Project Zero article. Readers who find a way please describe the process (preferably with screenshots) in the comments section.

Technical details were omitted from Thursday’s post due to the severity of the bug and the ease of exploitation by a skilled hacker. On its product security update page, Samsung described his CVE-2023-24033 as a memory corruption when processing the SDP attribute accept-type.

Baseband software does not properly check the format type of the accept-type attribute specified by SDP, which could lead to denial of service and code execution on Samsung baseband modems, the advisory added. Users can disable WiFi calling and VoLTE to mitigate the effects of this vulnerability.

Short for Service Discovery Protocol Layer, SDP allows discovery of available services from other devices over Bluetooth. In addition to discovery, SDP allows applications to determine the technical characteristics of these services. SDP uses a request/response model for device communication.

The threat is serious, but again, it only applies to users with Exynos versions of one of the affected models. Google also issued a patch for Pixel users earlier this month.

Until Samsung or Google announce more details, users of devices that remain vulnerable should (1) be aware of one patch for CVE-2023-24033, install all available security updates, and (2) Turn off Wi-Fi Calling and (3) check your specific model’s settings menu to see if you can turn off VoLTE. This post will be updated when either company responds with more useful information.

