Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs the victim’s phone number.

Google’s Project Zero unit is calling urgent attention to multiple security defects found in Samsung’s Exynos chipsets, warning that attackers can remotely compromise a phone at the baseband level with no user interaction whatsoever.

Project Zero team lead Tim Willis said his researchers reported at least 18 zero-day vulnerabilities in the Exynos modems produced by Samsung Semiconductor and used in the company’s flagship Galaxy devices.

In some cases, Willis said an attacker would only need to know the victim’s phone number to exploit the bugs in what is being described as “Internet-to-baseband remote code execution” attack vectors.

“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Willis said in a note describing the issues.

“Until security updates are available, [affected users] can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities,” he added.

Willis said Google would withhold details on four of the 18 vulnerabilities because of the severity of the issue and the risk that malicious actors could quickly reproduce the findings and create in-the-wild exploits.

“Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” Willis noted.

Advertisement. Scroll to continue reading.

He said the 14 other related vulnerabilities were not as severe, requiring either a malicious mobile network operator or an attacker with local access to the device for successful exploitation.  Project Zero lifted the embargo on five of the vulnerabilities even though patches are not yet available. 

“The remaining nine vulnerabilities in this set have not yet hit their 90-day deadline, but will be publicly disclosed at that point if they are still unfixed,” Willis cautioned.

Samsung has issued multiple advisories with the list of Exynos chipsets affected by these vulnerabilities, including mobile devices from Samsung, Vivo and Google’s own Pixel 6/7 handsets. 

Samsung described the issues as heap buffer overflows in the 5G MM message codec when decoding extended emergency lists, service area lists and reserved options.

Related: Project Zero Flags ‘Patch Gap’ Problems on Android

Related: Google Project Zero Updates Vulnerability Disclosure Policy

Related: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...