Four vulnerabilities could give hackers easy access to affected phones
The flaws were discovered between late 2022 and early 2023 and four of them allowed for internet-to-baseband remote code execution. An attacker would only need someone’s phone number to exploit this vulnerability and compromise the victim’s phone silently and remotely.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.” – Tim Willis, Project Zero
Affected smartphones and watches
Samsung is aware of the Exynos bug
- Samsung Galaxy S22 (only the Exynos-powered variants sold in the UK and Europe), A71, A53, A33, A21s, A13, A12, A04, M33, M13, and M12 series
- Samsung Galaxy Watch 5 and Watch 4
- Vivo S16, S15, S6, X70, X60 and X30 series
- Google Pixel 7 duo, Pixel 6 range, and Pixel 6a
Project Zero researcher says Samsung was alerted about the issue long ago
Project Zero advises that until a fix is rolled out, users who want to protect their devices from the baseband remote code execution vulnerabilities should turn off Wi-Fi calling and Voice-over-LTE (VoLTE).
Since the four critical bugs are easy to exploit, Project Zero has decided to make an exception to its disclosure policy and is not revealing additional details that may make a hacker’s job easier.
Source: Phone Arena