Google sounds alarm on Samsung modem bugs in Android devices • The Register

Google safety analysts have warned Android system customers that a number of zero-day vulnerabilities in some Samsung chipsets may permit an attacker to utterly hijack and remote-control their handsets realizing simply the telephone quantity.
Between late 2022 and early this 12 months, Google’s Mission Zero discovered and reported 18 of those bugs in Samsung’s Exynos mobile modem firmware, based on Tim Willis, who heads the bug-hunting crew. 4 of the 18 zero-day flaws can permit internet-to-baseband distant code execution. The baseband, or modem, portion of a tool usually has privileged low-level entry to all of the {hardware}, and so exploiting bugs inside its code may give an intruder full management over the telephone or system. Technical particulars of those holes have been withheld for now to guard customers of weak gear.
“Checks performed by Mission Zero affirm that these 4 vulnerabilities permit an attacker to remotely compromise a telephone on the baseband stage with no person interplay, and require solely that the attacker know the sufferer’s telephone quantity,” Willis wrote in a breakdown of the safety flaws. 

Expert attackers would have the ability to rapidly create an operational exploit to compromise affected units silently and remotely

“With restricted further analysis and growth, we consider that expert attackers would have the ability to rapidly create an operational exploit to compromise affected units silently and remotely,” he added.
One in all these 4 extreme bugs has been assigned a CVE quantity, and it is tracked as CVE-2023-24033. The opposite three are awaiting bug IDs.

The opposite 14 points aren’t as extreme and require “both a malicious cellular community operator or an attacker with native entry to the system,” based on Willis. These embrace CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and 9 different vulnerabilities that have not but been assigned identifiers.

Affected units embrace these utilizing Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 sequence of chips; Vivo cellular units together with the S16, S15, S6, X70, X60 and X30 sequence; the Pixel 6 and Pixel 7 sequence of units from Google; and automobiles that use the Exynos Auto T5123 chipset.
Google issued a repair for CVE-2023-24033 affecting Pixel units in its March safety replace. Till the opposite producers plug the holes, Willis suggests turning off Wi-Fi calling and Voice-over-LTE (VoLTE) to guard towards baseband distant code execution, if you happen to’re utilizing a weak system powered by Samsung’s silicon.

And, as all the time, patch your devices as quickly because the software program updates turn into out there.

Google’s crew — and most safety researchers — adhere to a 90-day disclosure timeline, that means after they report the bug to the {hardware} or software program vendor, the seller has 90 days to situation a repair. After that, the researchers disclose the flaw to the general public.
Nevertheless, in some very uncommon and significant circumstances, the place the “attackers would profit considerably greater than defenders if a vulnerability was disclosed,” the bug hunters make an exception and delay disclosure, Willis famous. That is the case with the 4 zero-days that permit for internet-to-baseband RCE.
Of the 14 remaining much less extreme flaws, Mission Zero disclosed 4 that exceeded its 90-day deadline. The opposite 10 might be launched to the general public in the event that they hit the 90-day mark with out fixes, Willis added. ®