Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits

Google’s Project Zero unit is calling urgent attention to multiple security defects found in Samsung’s Exynos chipsets, warning that attackers can remotely compromise a phone at the baseband level with no user interaction whatsoever.

Project Zero team lead Tim Willis said his researchers reported at least 18 zero-day vulnerabilities in the Exynos modems produced by Samsung Semiconductor and used in the company’s flagship Galaxy devices.

In some cases, Willis said an attacker would only need to know the victim’s phone number to exploit the bugs in what is being described as “Internet-to-baseband remote code execution” attack vectors.

“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Willis said in a note describing the issues.

“Until security updates are available, [affected users] can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities,” he added.

Willis said Google would withhold details on four of the 18 vulnerabilities because of the severity of the issue and the risk that malicious actors could quickly reproduce the findings and create in-the-wild exploits.

“Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” Willis noted.

He said the 14 other related vulnerabilities were not as severe, requiring either a malicious mobile network operator or an attacker with local access to the device for successful exploitation.  Project Zero lifted the embargo on five of the vulnerabilities even though patches are not yet available. 

“The remaining nine vulnerabilities in this set have not yet hit their 90-day deadline, but will be publicly disclosed at that point if they are still unfixed,” Willis cautioned.

Samsung has issued multiple advisories with the list of Exynos chipsets affected by these vulnerabilities, including mobile devices from Samsung, Vivo and Google’s own Pixel 6/7 handsets. 

Samsung described the issues as heap buffer overflows in the 5G MM message codec when decoding extended emergency lists, service area lists and reserved options.

Related: Project Zero Flags ‘Patch Gap’ Problems on Android

Related: Google Project Zero Updates Vulnerability Disclosure Policy

Related: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation