Google’s ‘Project Zero,’ an in-house team of cybersecurity experts and analysts, warned in a new blog post of 18 different potential exploits in some phones using Samsung’s Exynos modems. That includes devices from Samsung, Vivo and Google’s own Pixel line (more on the specific devices below).
Project Zero warns that the exploits are severe and should be treated as zero-day vulnerabilities — the term ‘zero-day’ refers to recently-discovered exploits that software makers and manufacturers have zero days to fix. The exploits could allow malicious actors to compromise a device just by knowing the associated phone number, and the device’s owner wouldn’t notice a thing.
Specifically, four of the 18 exploits could allow a malicious actor to gain access to the data coming in and out of a device’s modem using just the phone number. That data includes things like phone calls and text messages. Particularly concerning is that this could be done remotely, while some of the other vulnerabilities would require local access to a device.
Project Zero recommends that people with affected devices install upcoming security updates as soon as possible to protect themselves from the vulnerability, though when those updates will arrive varies by manufacturer. Google included a patch for some of the flaws in its March 2023 security update for Pixel phones, for example. Impacted devices include:
- Samsung phones including the Galaxy S22 series, the Galaxy M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
- Vivo phones including the S16, S15, S6, X70, X60 and X30
- Google Pixel 6 and 7 series
- Wearables using the Exynos W920 chipset
- Vehicles that use the Exynos Auto T5123 chipset
Those with an affected device will want to take a few steps to mitigate risks until patches arrive. Project Zero advises people to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) — you should be able to find both of these in the Settings menu under Network & internet > SIMs, though the exact location may vary from device to device.
Project Zero reported the exploits to manufacturers in late 2022 and early 2024, but the team withheld publication for four other vulnerabilities due to the ongoing severity.
Source: Project Zero Via: CNET