Many (as in a total of eighteen) internet to baseband remote code execution vulnerabilities in Samsung-made Exynos modems were revealed by Google’s Project Zero yesterday. Devices like the Pixel 6 and Pixel 7 series, the Galaxy S22 series, and many others contain these modems.
For those of us who are not security professionals but speak in layman’s terms, the most serious flaws would enable a knowledgeable attacker to build an exploit and infiltrate a compromised phone just by knowing a victim’s phone number. Four of the vulnerabilities were found to be so serious that Project Zero even created an exception to its disclosure process guideline for them. That seems to be that horrible.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
The Pixel 6 and Pixel 7 series of devices from Google; and
any vehicles that use the Exynos Auto T5123 chipset.
We now know that there is a problem. The good news is that those who need to know about these problems and start fixing them are aware of them, and solutions are already in the works. For instance, one of the vulnerabilities is fixed in the March security update for Pixel phones. While you wait, Google’s Project Zero advises that you manually disable WiFi Calling and VoLTE (Voice-Over-LTE) on your smartphone in order to avoid utilizing them.