Project Zero, Google’s dedicated security research team, has found some major issues with Samsung modems that power devices like the Pixel 6, Pixel 7, and some Galaxy S22 and A53 models. According to his blog post, a variety of Exynos modems have a number of vulnerabilities that could “allow an attacker to remotely compromise a phone at the baseband level without user interaction” without needing much more than the victim’s phone number. And frustratingly, Samsung seems to be taking a long time to fix it.
The team also warns that experienced hackers could exploit the issue “with only limited additional research and development.” Google says the March security update for Pixels should fix the problem, though 9to5Google grades which is not yet available for the Pixel 6, 6 Pro and 6a (we also checked on our own 6a and there was no update). The researchers say they believe the following devices may be at risk:
It is worth noting that for devices to be vulnerable, they must use one of the affected Samsung modems. For many S22 owners, that might be a relief: the phones sold outside from Europe and some African countries have a Qualcomm processor and also use a Qualcomm modem, so they should be safe from these specific problems. But phones with Exynos processors, like the popular mid-range A53 and the European S22, can be vulnerable.
In theory, the S21 and S23 are safe: Samsung’s newer flagships use Qualcomm worldwide, and older ones with Exynos chips use a modem that doesn’t appear on the screen. Samsung’s list of affected chips.
If you know your phone uses one of the vulnerable modems and you’re worried it might be exploited (remember, attacks could “silently and remotely compromise affected devices”), Project Zero says you can protect yourself. disable Wi-Fi calling and Voice over LTE. Yes, your calls will be worse, but it’s probably worth it.
Traditionally, security researchers will wait until a fix is available before announcing that they have found the bug, or until a certain amount of time has passed since they reported it with no fix in sight. It looks like it’s the latter case here: as TechCrunch gradesProject Zero researcher, Maddie Stone tweeted that “end users still have no patches 90 days after the report”, which seems to be an encouragement to Samsung and other vendors that they must deal with the problem.
Samsung did not immediately respond to the edgeThe request for feedback on why there doesn’t seem to be a patch yet.
In total, Project Zero found 18 vulnerabilities in the modems. Four are the really bad guys that enable “baseband Internet remote code execution,” and Google says it’s not sharing any additional information about them at this time, despite its usual disclosure policy. (Again, due to the fact that you think they could be exploited very easily.) The rest were smaller and required “a rogue mobile network operator or attacker with local access to the device.” To be clear, that’s still not good, we’ve seen how flimsy carrier security can be, but at least they’re not as bad as the others.
