Samsung’s Exynos chips cited for potentially hackable flaws
Important Samsung-made chips inside several popular Android devices have serious vulnerabilities that could allow attackers to “silently and remotely” compromise them, researchers said Thursday.
Google’s Project Zero team said Thursday that the Exynos modems used in multiple series of Samsung, Pixel and Vivo phones could be attacked “with no user interaction,” with methods that “require only that the attacker know the victim's phone number.”
The report cites 18 bugs in total, all of them zero-day vulnerabilities that Samsung had not patched for consumers as of Thursday, Project Zero said. Samsung’s semiconductor unit has noted the flaws.
Like a household modem, the chips translate cellular data for the phone to use — a process known as “internet to baseband.” The researchers said it’s possible for users to avoid trouble if they “turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings.”
Typically programs like Project Zero set a deadline for a company to remedy serious vulnerabilities before going public with the information. In this case, Samsung was given 90-day periods to address the zero-days, Project Zero said, but some of those have elapsed, and the team decided it was important to warn the public about the entire set.
Several of the flaws do not yet have numbers in the “CVE” database that researchers use to track vulnerabilities, Project Zero said.
The Exynos vulnerabilities break down like this:
- Four are so serious that Project Zero isn’t disclosing their specific nature yet. “Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure,” the team said.
- Four “do not meet the high standard to be withheld from disclosure,” Project Zero said. Those are numbered CVE-2023-26072, CVE-2023-26073, CVE-2023-26074 and CVE-2023-26075.
- The remaining 10 “have not yet hit their 90-day deadline, but will be publicly disclosed at that point if they are still unfixed,” the researchers said.
Project Zero’s survey of potentially affected devices includes:
- Samsung products in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series.
- Vivo devices in the S16, S15, S6, X70, X60 and X30 series.
- Pixel 6 and Pixel 7 devices from Google. (TechCrunch reported that the March update for Pixel phones covers the newly announced bugs.)
- Cars that use the Exynos Auto T5123 chipset.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.