Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs the victim’s phone number.

Google’s Project Zero unit is calling urgent attention to multiple security defects found in Samsung’s Exynos chipsets, warning that attackers can remotely compromise a phone at the baseband level with no user interaction whatsoever.

Project Zero team lead Tim Willis said his researchers reported at least 18 zero-day vulnerabilities in the Exynos modems produced by Samsung Semiconductor and used in the company’s flagship Galaxy devices.

In some cases, Willis said an attacker would only need to know the victim’s phone number to exploit the bugs in what is being described as “Internet-to-baseband remote code execution” attack vectors.

“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Willis said in a note describing the issues.

“Until security updates are available, [affected users] can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities,” he added.

Willis said Google would withhold details on four of the 18 vulnerabilities because of the severity of the issue and the risk that malicious actors could quickly reproduce the findings and create in-the-wild exploits.

“Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” Willis noted.

He said the 14 other related vulnerabilities were not as severe, requiring either a malicious mobile network operator or an attacker with local access to the device for successful exploitation.  Project Zero lifted the embargo on five of the vulnerabilities even though patches are not yet available. 

“The remaining nine vulnerabilities in this set have not yet hit their 90-day deadline, but will be publicly disclosed at that point if they are still unfixed,” Willis cautioned.

Samsung has issued multiple advisories with the list of Exynos chipsets affected by these vulnerabilities, including mobile devices from Samsung, Vivo and Google’s own Pixel 6/7 handsets. 

Samsung described the issues as heap buffer overflows in the 5G MM message codec when decoding extended emergency lists, service area lists and reserved options.

Related: Project Zero Flags ‘Patch Gap’ Problems on Android

Related: Google Project Zero Updates Vulnerability Disclosure Policy

Related: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.