Project Zero: Samsung mobile chipsets are vulnerable to baseband code execution exploits

Google’s Project Zero unit draws strong attention to several security flaws found in Samsung’s Exynos chipsets, warning that attackers can remotely compromise a baseband-level phone without any user interaction.

Project Zero team leader Tim Willis said his researchers had reported at least 18 zero-day vulnerabilities in the Exynos modems made by Samsung Semiconductor and used in the company’s flagship Galaxy devices.

In some cases, Willis says, an attacker would only need to know the victim’s phone number to exploit the flaws, known as “internet-to-baseband remote code execution” attack vectors.

“With limited additional research and development, we believe that experienced attackers would be able to quickly create an operational exploit to silently and remotely compromise affected devices,” Willis said in a note describing the issues .

“Until security updates are available, [affected users] can turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings. Disabling these settings eliminates the risk of exploitation of these vulnerabilities,” he added.

Willis said Google will withhold details on four of the 18 vulnerabilities due to the severity of the issue and the risk that malicious actors could quickly reproduce the findings and create in-the-wild exploits.

“Due to a very rare combination of the level of access these vulnerabilities offer and the speed with which we believe a reliable operational exploit could be created, we decided to make a policy exception to limit disclosure for the four vulnerabilities to delay the Internet to enable baseband remote code execution,” noted Willis.

He said the 14 other related vulnerabilities weren’t as severe and required either a malicious mobile network operator or an attacker with local access to the device to be successfully exploited. Project Zero has lifted the embargo on five of the vulnerabilities, although patches are not yet available.

READ :  Ukrainian engineers struggle to keep cellphones working - world

“The remaining nine vulnerabilities in this set have not yet reached their 90-day deadline, but will be publicly disclosed at that time if not already fixed,” Willis cautioned.

Samsung has issued several advisories with the list of Exynos chipsets affected by these vulnerabilities, including Samsung handsets, Vivo and Google’s own Pixel 6/7 phones.

Samsung described the issues as heap buffer overflows in the 5G MM message codec when decoding extended emergency lists, service area lists and reserved options.

See Also: Project Zero Flags “Patch Gap” Issues on Android

See also: Google Project Zero Update Vulnerability Disclosure Policy

See also: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation