Google tells users of some Android phones: Nuke voice calling to avoid infection

Enlarge / Photos of the Samsung Galaxy S21, which runs with an Exynos chipset.Samsung

Google is urging house owners of sure Android telephones to take pressing motion to guard themselves from essential vulnerabilities that give expert hackers the flexibility to surreptitiously compromise their gadgets by making a specifically crafted name to their quantity.  It’s not clear if all actions urged are even potential, nevertheless, and even when they’re, the measures will neuter gadgets of most voice-calling capabilities.
The vulnerability impacts Android gadgets that use the Exynos chipset made by Samsung’s semiconductor division. Susceptible gadgets embody the Pixel 6 and seven, worldwide variations of the Samsung Galaxy S22, numerous mid-range Samsung telephones, the Galaxy Watch 4 and 5, and automobiles with the Exynos Auto T5123 chip. These gadgets are ONLY susceptible in the event that they run the Exynos chipset, which incorporates the baseband that processes indicators for voice calls. The US model of the Galaxy S22 runs a Qualcomm Snapdragon chip.
A bug tracked as CVE-2023-24033 and three others which have but to obtain a CVE designation make it potential for hackers to execute malicious code, Google’s Venture Zero vulnerability workforce reported on Thursday. Code-execution bugs within the baseband will be particularly essential as a result of the chips are endowed with root-level system privileges to make sure voice calls work reliably.
“Assessments carried out by Venture Zero verify that these 4 vulnerabilities permit an attacker to remotely compromise a cellphone on the baseband stage with no consumer interplay, and require solely that the attacker know the sufferer’s cellphone quantity,” Venture Zero’s Tim Willis wrote. “With restricted extra analysis and improvement, we consider that expert attackers would have the ability to rapidly create an operational exploit to compromise affected gadgets silently and remotely.”

Earlier this month, Google launched a patch for susceptible Pixel fashions. Samsung has launched an replace patching CVE-2023-24033, nevertheless it has not but been delivered to finish customers. There’s no indication Samsung has issued patches for the opposite three essential vulnerabilities. Till susceptible gadgets are patched, they continue to be susceptible to assaults that give entry on the deepest stage potential.
The menace prompted Willis to place this recommendation on the very prime of Thursday’s publish:
Till safety updates can be found, customers who want to shield themselves from the baseband distant code execution vulnerabilities in Samsung’s Exynos chipsets can flip off Wi-Fi calling and Voice-over-LTE (VoLTE) of their machine settings. Turning off these settings will take away the exploitation danger of those vulnerabilities.
The issue is, it’s not solely clear that it’s potential to show off VoLTE, at the very least on many fashions. A screenshot one S22 consumer posted to Reddit final 12 months reveals that the choice to show off VoLTE is grayed out. Whereas that consumer’s S22 was operating a Snapdragon chip, the expertise for customers of Exynos-based telephones is probably going the identical.
And even whether it is potential to show off VoLTE, doing so together with turning off Wi-Fi could flip telephones into little greater than tiny tablets operating Android. VoLTE got here into widespread use a number of years in the past, and since then most carriers in North America have stopped supporting older 3G and 2G frequencies.
Samsung representatives stated in an electronic mail that the corporate in March launched safety patches for 5 of six vulnerabilities that “could probably impression choose Galaxy gadgets” and can patch the sixth flaw subsequent month. The e-mail didn’t reply questions asking if any of the patches can be found to finish customers now or whether or not it’s potential to show off VoLTE.

A Google consultant, in the meantime, declined to supply the particular steps for finishing up the recommendation within the Venture Zero writeup. Readers who work out a approach are invited to elucidate the method (with screenshots, if potential) within the feedback part.
Due to the severity of the bugs and the convenience of exploitation by expert hackers, Thursday’s publish omitted technical particulars. In its product safety replace web page, Samsung described CVE-2023-24033 as a “reminiscence corruption when processing SDP attribute accept-type.”
“The baseband software program doesn’t correctly examine the format sorts of accept-type attribute specified by the SDP, which may result in a denial of service or code execution in Samsung Baseband Modem,” the advisory added. “Customers can disable WiFi calling and VoLTE to mitigate the impression of this vulnerability.”
Quick for the Service Discovery Protocol layer, SDP permits for the invention of providers obtainable from different gadgets over Bluetooth. Apart from discovery, SDP permits functions to find out the technical traits of these providers. SDP makes use of a request/response mannequin for gadgets to speak.
The menace is severe, however as soon as once more, it applies solely to individuals utilizing an Exynos model of one of many affected fashions. And as soon as once more, Google issued a patch earlier this month for Pixel customers.
Till Samsung or Google says extra, customers of gadgets that stay susceptible ought to (1) set up all obtainable safety updates with a detailed eye out for one patching CVE-2023-24033, (2) flip off Wi-Fi calling, and (3) discover the settings menu of their particular mannequin to see if it’s potential to show off VoLTE. This publish might be up to date if both firm responds with extra helpful data.