Hmm, this is not good.
Google is caveat Some Android smartphones can be remotely hacked without the intended victim clicking anything.
In a successful attack, the hackers could access data through the Samsung Exynos chipset used in many devices to collect call information and text messages.
And what do hackers need to know about you to target your phone?
your phone number.
that’s it. All they need to know is your Android device’s phone number.
Frankly, it’s terrifying. It’s easy to imagine how such a security problem could be exploited by state-sponsored hackers.
sign up for newsletterSecurity news, advice and tips.
Overall, security experts working on Google’s Project Zero team say they’ve found a total of 18 zero-day vulnerabilities in the Exynos modems found in some phones, four of which are particularly severe. is.
Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, allowing the attacker to know the victim’s phone number. You just need to be there. With limited additional research and development, we believe skilled attackers can rapidly craft operational exploits to silently and remotely compromise affected devices.
Other vulnerabilities require either malicious mobile network operators or attackers to have physical access to Android devices, researchers say.
Vulnerable devices are:
- Samsung smartphones including S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series.
- Vivo smartphones including S16, S15, S6, X70, X60, X30 series.
- Google Pixel 6 and Pixel 7 devices.and
- All vehicles using the Exynos Auto T5123 chipset.
Note that some devices use Qualcomm chipsets and modems that are not affected by the same vulnerabilities as Exynos’s.
Of course, Google’s Project Zero vulnerability hunters have had no hesitation in scrutinizing exploitation methods for security holes, and typically do so 90 days after notifying the relevant software or hardware vendor of the problem. public information.
However, in this case, the team at Google seems to realize that publishing at this stage can actually cause serious problems.
Project Zero will follow standard disclosure policies and disclose security vulnerabilities within a set time period after reporting them to software or hardware vendors. In rare cases where we assessed that attackers would benefit significantly more than defenders if a vulnerability were disclosed, we made an exception to our policy to delay disclosure of that vulnerability.
Baseband remote code execution from the Internet, as the combination of the level of access these vulnerabilities provide and the speed at which a reliable operational exploit could be created is extremely rare.
If you have an affected Google Pixel device, good news! Google has already issued security patches for smartphones. March 2023 security update.
However, for owners of vulnerable Samsung smartphones, a fix is not yet available, according to at least one Google Project Zero researcher.
It’s been 90 days since the report and the end user has still not been patched. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
So what if your device is unpatched?
Google’s recommendation is to change your device settings to turn off Wi-Fi calling and Voice over LTE (VoLTE) until a fix is available for your phone.
Did you find this article interesting? Follow Graham Cluley on Twitter again Mastodon To read more about the exclusive content we post.
