Google is urging owners of certain Android phones to take urgent action to protect themselves from critical vulnerabilities that give skilled hackers the ability to surreptitiously compromise their devices by making a specially crafted call to their number. It’s not clear if all actions urged are even possible, however, and even if they are, the measures will neuter devices of most voice-calling capabilities.
The vulnerability affects Android devices that use the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos Auto T5123 chipsets made by Samsung’s semiconductor division. Vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are ONLY vulnerable if they run the Exynos chipset, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs a Qualcomm Snapdragon chip.
A bug tracked as CVE-2023-24033 and three others that have yet to receive a CVE designation make it possible for hackers to execute malicious code, Google’s Project Zero vulnerability team reported on Thursday. Code-execution bugs in the baseband can be especially critical because the chips are endowed with root-level system privileges to ensure voice calls work reliably.
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” Project Zero’s Tim Willis wrote. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
Earlier this month, Google released a patch for vulnerable Pixel 7 models, but fixes for Pixel 6 models have yet to be delivered to many, if not all, users (the Project Zero post incorrectly states otherwise). Samsung has released an update patching CVE-2023-24033, but it has not yet been delivered to end users. There’s no indication Samsung has issued patches for the other three critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that give access at the deepest level possible.
The threat prompted Willis to put this advice at the very top of Thursday’s post:
Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.
The problem is, it’s not entirely clear that it’s possible to turn off VoLTE, at least on many models. A screenshot one S22 user posted to Reddit last year shows that the option to turn off VoLTE is grayed out. While that user’s S22 was running a Snapdragon chip, the experience for users of Exynos-based phones is likely the same.
And even if it is possible to turn off VoLTE, doing so in conjunction with turning off Wi-Fi turns phones into little more than tiny tablets running Android. VoLTE came into widespread use a few years ago, and since then most carriers in North America have stopped supporting older 3G and 2G frequencies.
Samsung representatives said in an email that the company in March released security patches for five of six vulnerabilities that “may potentially impact select Galaxy devices” and will patch the sixth flaw next month. The email didn’t answer questions asking if any of the patches are available to end users now or whether it’s possible to turn off VoLTE. The email also failed to make clear that patches have yet to be delivered to end users.
A Google representative, meanwhile, declined to provide the specific steps for carrying out the advice in the Project Zero writeup. That means Pixel 6 users have no actionable mitigation steps while they wait an updated for their devices. Readers who figure out a way are invited to explain the process (with screenshots, if possible) in the comments section.
Because of the severity of the bugs and the ease of exploitation by skilled hackers, Thursday’s post omitted technical details. In its product security update page, Samsung described CVE-2023-24033 as a “memory corruption when processing SDP attribute accept-type.”
“The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem,” the advisory added. “Users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.”
Short for the Session Description Protocol, SDP is a mechanism for establishing a multimedia session between two entities. Its main use is supporting streaming VoIP calls and video conferencing. SDP uses a offer/answer model in which one party advertises a description of a session and the other party answers with the desired parameters.
The threat is serious, but once again, it applies only to people using an Exynos version of one of the affected models.
Until Samsung or Google says more, users of devices that remain vulnerable should (1) install all available security updates with a close eye out for one patching CVE-2023-24033, (2) turn off Wi-Fi calling, and (3) explore the settings menu of their specific model to see if it’s possible to turn off VoLTE. This post will be updated if either company responds with more useful information.
Post updated to correct the definition of SDP.