Google finds major security flaw in popular smartphones with Exynos modems: Galaxy S22 series, Pixel 7 owners at risk

Highlights
  • A variety of Exynos modems have a series of vulnerabilities that could allow an attacker to remotely compromise a phone.
  • The issue affects phones with Samsung Exynos modems, including the Pixel 6 and Pixel 7 series.
  • Any wearable and vehicle that uses the Exynos W920 and Exynos Auto T5123 chipsets are also vulnerable.

Google’s dedicated security research team, Project Zero has publicly disclosed issues with the Samsung modems that power the most recent phones such as the Pixel 6, Pixel 7, and some of the Samsung Galaxy S22 and Galaxy A53 models. Based on the blog post by the company, a variety of Exynos modems have a series of vulnerabilities that could “allow an attacker to remotely compromise a phone at the baseband level with no user interaction“. This is without any more information than the victim’s phone number.

Show Full Article

Furthermore, the team has also warned that hackers could exploit the issue “with only limited additional research and development.” While Google said the March security update for Pixel phones should fix the issue, it was not available for the Pixel 6, Pixel 6 Pro, and Pixel 6a yet.

List of devices at risk

According to researchers, the devices that may be at risk include the Samsung Galaxy S22, Galaxy M33, Galaxy M13, Galaxy M12, Galaxy A71, Galaxy A53, Galaxy A33, Galaxy A21, Galaxy A13, Galaxy A12 and Galaxy A04. Besides Samsung phones, Vivo phones such as the Vivo S16, Vivo S15, Vivo X70, Vivo X60, and Vivo X30 series. Any wearable and vehicle that uses the Exynos W920 and Exynos Auto T5123 chipsets are also vulnerable.

Do note that not all the models mentioned above are vulnerable as they have to use the affected Samsung modems. The Samsung Galaxy S22 models sold outside of Europe and some African countries have a Qualcomm processor and use the in-house modem. This means they should be safer to use.

The Samsung Galaxy S21 and Galaxy S23 models could be safe to use since they use Qualcomm worldwide, and the older ones with the Exynos chips use a modem that doesn’t appear on Samsung’s list of chips that are affected. If you are worried whether your device might be affected, team Project Zero says users can protect themselves by turning off Wi-Fi calling and voice-over LTE.

Still no fix yet

Traditionally, security researchers report about the bugs/vulnerabilities only when a fix is available or until it’s been a certain amount of time since they reported it and there appears to be no fix in sight. In this case, the latter appears to be the case as TechCrunch notes, Project Zero researcher Maddie Stone tweeted that “end-users still don’t have patches 90 days after the report.” This could be a problem on Samsung and other vendors’ part as they need to deal with it.

Project Zero in total found 18 vulnerabilities in the modems. Four among them are really bad ones that allow “Internet-to-baseband remote code execution.” Google says that it is not sharing additional information on those at the moment. The rest are minor that requires “either a malicious mobile network operator or an attacker with local access to the device.”