In the months covering late 2022 and early 2023, Project Zero uncovered a significant security issue involving Exynos modems developed by Samsung Semiconductor. A total of eighteen 0-day vulnerabilities were identified, of which four were deemed particularly severe, allowing for a process known as Internet-to-baseband remote code execution.
"With just knowledge of the victim's phone number, an attacker could remotely compromise a phone at the baseband level without any user interaction," said Tim Willis of Project Zero. This alarming capability highlights the potential risks involved, particularly as it could enable malicious actors to create an operational exploit quickly with minimal effort.
"With just knowledge of the victim's phone number, an attacker could remotely compromise a phone at the baseband level without any user interaction,"
The vulnerabilities in question are assigned the identifiers CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498. Project Zero emphasized that extensive research and development could help skilled attackers devise a method to exploit these vulnerabilities efficiently. While the other fourteen vulnerabilities identified (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, alongside nine additional yet-to-be-assigned CVE-IDs) are notable, they require more direct access to exploit effectively.
Impact and Legacy
A crucial concern arises when considering the range of devices potentially impacted by these vulnerabilities. The advisory from Samsung Semiconductor includes a list of affected Exynos chipsets, indicating a broad spectrum of devices. Some of the notable products likely affected include:
- Any vehicles utilizing the Exynos Auto T5123 chipset, - Google’s Pixel 6 and Pixel 7 series, - Various mobile devices from Vivo such as the S16, S15, S6, X70, X60, and X30 series, - Samsung devices from the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series.
As for remedial actions, the patch timelines differ based on the manufacturer. Specifically, Google’s Pixel brand began distributing fixes for all four severe vulnerabilities included in the March 2023 security update. To help mitigate risks in the interim, users of affected devices are advised to disable services like Wi-Fi calling and Voice-over-LTE (VoLTE), though this capability may depend on carrier settings.
Project Zero also adheres to a strict disclosure policy regarding vulnerabilities. However, Willis noted a significant exception for these four critical vulnerabilities. "Due to the rare level of access and the speed at which a reliable exploit could be developed, we have chosen to delay disclosure of these vulnerabilities," Willis stated. This decision reflects Project Zero's commitment to transparency while prioritizing user safety.
"Due to the rare level of access and the speed at which a reliable exploit could be developed, we have chosen to delay disclosure of these vulnerabilities,"
Conversely, of the fourteen remaining vulnerabilities, four (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, and CVE-2023-26075) have surpassed the standard 90-day disclosure deadline and have now been made public. The remaining ten vulnerabilities will follow suite once their deadlines are reached, if they remain unfixed.
As of the past few weeks, ongoing updates have been announced. Notably, a blog post detail from March 20 included revisions to Google Pixel’s March 2023 Security Bulletin, clarifying that fixes for all four severe vulnerabilities were available, contrary to earlier statements.
With the increasing dependence on mobile technology, understanding and addressing vulnerabilities like those found in Exynos modems is crucial for device security. Users are encouraged to remain vigilant and update their devices promptly to ensure protection against both known and undisclosed vulnerabilities as they emerge.