by Samsung
Google is urging owners of certain Android phones to take urgent action to protect themselves from critical vulnerabilities that allow savvy hackers to secretly compromise their devices by making a specially crafted call to their number. It’s unclear if all of the requested actions are still possible, but even if they are, the measures will sterilize devices with most voice calling capabilities.
The vulnerability affects Android devices using the Exynos chipset manufactured by Samsung’s semiconductor division. Vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are ONLY vulnerable if they run the Exynos chipset, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs a Qualcomm Snapdragon chip.
A bug identified as CVE-2023-24033 and three others that have not yet received a CVE designation allow hackers to execute malicious code, Google’s Project Zero vulnerability team said Thursday. Code execution errors in the baseband can be particularly critical because the chips are endowed with root-level system privileges to ensure that voice calls work reliably.
“Tests conducted by Project Zero confirm that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction and only require the attacker to know the victim’s phone number,” wrote Project Zero’s Tim Willis. “With limited additional research and development, we believe that experienced attackers will be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
Earlier this month, Google released a patch for vulnerable Pixel models. Samsung released an update that fixes CVE-2023-24033, but it has not yet delivered to end users. There is no indication that Samsung has issued patches for the other three critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that provide access to the deepest possible level.
The threat prompted Willis to put this tip at the top of Thursday’s post:
Until security updates are available, users who wish to protect against baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in its settings their device. Disabling these settings will remove the risk of exploiting these vulnerabilities.
The problem is that it is not entirely clear that it is possible to disable VoLTE, at least on many models. A screenshot posted by an S22 user on Reddit last year shows the option to turn off VoLTE grayed out. While this user’s S22 was running a Snapdragon chip, the experience for users of Exynos-based phones is likely the same.
And even if it’s possible to disable VoLTE, doing so in conjunction with disabling Wi-Fi can turn phones into little more than tiny Android tablets. VoLTE became widely used a few years ago, and since then most carriers in North America have stopped supporting older 3G and 2G frequencies.
Samsung representatives said in an email that the company released security patches in March for five of the six vulnerabilities that “may affect select Galaxy devices” and will patch the sixth flaw next month. The email did not respond to questions asking if any of the patches are available to end users now or if VoLTE can be disabled.
A Google spokesperson, meanwhile, declined to provide the specific steps for implementing the tips in the Project Zero write-up. Readers who find a way are invited to explain the process (with screenshots if possible) in the comments section.
Due to the severity of the bugs and the ease of exploitation by experienced hackers, Thursday’s post omitted technical details. On its product security update page, Samsung described CVE-2023-24033 as a “memory corruption while processing the type acceptance SDP feature.”
“The baseband software does not properly check the format types of the type acceptance attribute specified by the SDP, which can lead to a denial of service or code execution on the Samsung baseband modem,” the advisory added. “Users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.”
Short for Service Discovery Protocol layer, SDP enables the discovery of services available from other devices over Bluetooth. In addition to discovery, SDP allows applications to specify the technical characteristics of these services. SDP uses a request/response model for device communication.
The threat is serious, but again, it only applies to people using an Exynos version of one of the affected models. And once again, Google issued a patch earlier this month for Pixel users.
Until Samsung or Google say more, users of devices that remain vulnerable should (1) install all available security updates keeping an eye out for a CVE-2023-24033 patch, (2) disable Wi-Fi calling, and (3) explore the settings menu of the specific model to see if it is possible to disable VoLTE. This post will be updated if any company responds with more helpful information.
