Hmm, this is not good.

Google is caveat Some Android smartphones can be remotely hacked without the intended victim clicking anything.

In a successful attack, the hackers could access data through the Samsung Exynos chipset used in many devices to collect call information and text messages.

And what do hackers need to know about you to target your phone?

your phone number.

that’s it. All they need to know is your Android device’s phone number.

Frankly, it’s terrifying. It’s easy to imagine how such a security problem could be exploited by state-sponsored hackers.

e-mailsign up for newsletter
Security news, advice and tips.

Overall, security experts working on Google’s Project Zero team say they’ve found a total of 18 zero-day vulnerabilities in the Exynos modems found in some phones, four of which are particularly severe. is.

Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, allowing the attacker to know the victim’s phone number. You just need to be there. With limited additional research and development, we believe skilled attackers can rapidly craft operational exploits to silently and remotely compromise affected devices.

Other vulnerabilities require either malicious mobile network operators or attackers to have physical access to Android devices, researchers say.

Vulnerable devices are:

  • Samsung smartphones including S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series.
  • Vivo smartphones including S16, S15, S6, X70, X60, X30 series.
  • Google Pixel 6 and Pixel 7 devices.and
  • All vehicles using the Exynos Auto T5123 chipset.

Note that some devices use Qualcomm chipsets and modems that are not affected by the same vulnerabilities as Exynos’s.

Of course, Google’s Project Zero vulnerability hunters have had no hesitation in scrutinizing exploitation methods for security holes, and typically do so 90 days after notifying the relevant software or hardware vendor of the problem. public information.

However, in this case, the team at Google seems to realize that publishing at this stage can actually cause serious problems.

Project Zero will follow standard disclosure policies and disclose security vulnerabilities within a set time period after reporting them to software or hardware vendors. In rare cases where we assessed that attackers would benefit significantly more than defenders if a vulnerability were disclosed, we made an exception to our policy to delay disclosure of that vulnerability.

Baseband remote code execution from the Internet, as the combination of the level of access these vulnerabilities provide and the speed at which a reliable operational exploit could be created is extremely rare.

If you have an affected Google Pixel device, good news! Google has already issued security patches for smartphones. March 2023 security update.

However, for owners of vulnerable Samsung smartphones, a fix is ​​not yet available, according to at least one Google Project Zero researcher.

So what if your device is unpatched?

Google’s recommendation is to change your device settings to turn off Wi-Fi calling and Voice over LTE (VoLTE) until a fix is ​​available for your phone.

Did you find this article interesting? Follow Graham Cluley on Twitter again Mastodon To read more about the exclusive content we post.


Graham Cluley is a veteran of the antivirus industry and has worked for many security companies since the early 1990s when he created the first version of Dr. Solomon’s Antivirus Toolkit for Windows. He is now an independent security he is an analyst and makes regular media appearances and lectures internationally on the topics of computer he security, hackers and online he privacy. Follow him on Twitter. @gcluleyfor Mastodon @[email protected]or drop him an email.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog