Many of thebest Android phonesreleased in the past year have used Samsung’s Exynos modems to connect to the internet. However, if your handset uses any of these chips launched in the last three years, it could leave you vulnerable to hackers due to a critical flaw in those modems, as Google’s Project Zero team revealed 18 unpatched vulnerabilities in Samsung’s Exynos modems.
Security researchers have found problems in the Exynos modems powering recent flagship phones from Google, such as thePixel 7and Pixel 6 lineups, as well as last year’s Samsung phones, including the Galaxy S22 series, Galaxy A53, and older models. The flaws expose those devices to internet-to-baseband remote code execution. Some of Vivo’s recent models in the flagship and mid-range categories, including the Vivo X60, X70, and S15, are also at risk.
The vulnerabilities could additionally compromise smartwatches powered by an Exynos W920 chipset, like the Samsung Galaxy Watch 4 and Watch 5 series, as well as vehicles equipped with an Exynos Auto T5123 chipset. Samsung has a list of all vulnerable chips and modems onthis page.
Tim Willis, head of Google’s Project Zero, explained in ablog postthat four of those vulnerabilities could give hackers remote access to your phone “at the baseband level” using only your phone number, assuming they know it.
“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Willis wrote.
Fortunately, Google Pixel 7 owners can breathe a sigh of relief as theMarch security updatethat was rolled out a few days ago fixes the issue for the latest and greatest Pixel series. If you haven’t already, be sure to head to your system settings and look for the system updates section to see if it’s already installed. That said, the patch has yet to arrive for the Pixel 6, 6 Pro, and 6a, as9to5Googlenotes.
Security researchers rarely disclose vulnerabilities that aren’t yet resolved. However, Project Zero researcher Maddie Stonerevealed in a tweetthat “end-users still don’t have patches 90 days after the report.”
Meanwhile, Google cautions against making Wi-Fi and Voice-over-LTE (VoLTE) calls on the affected devices until Samsung resolves the problem. To ensure that these options are turned off, head to your system settings, theNetwork & internetsection, and then theSIMsmenu entry. In here, you can turn off both VoLTE and Wi-Fi calling. That said, many carriers in the US don’t support 2G and 3G connections for phone calls anymore, meaning that turning off VoLTE will significantly reduce your network coverage when it comes to phone calls. That’s why you should only turn off these settings if you think you’re a high-risk target, and then turn them back on once you’ve got access to the March Android security patch.
