Samsung Exynos Chipsets Vulnerable to Remote Hacking

March 16, 2023

White hat hackers at Google’s Project Zero unit discovered multiple vulnerabilities in Samsung’s Exynos chipsets that can be exploited by remote attackers to compromise phones without user interaction. The researchers found a total of eighteen vulnerabilities, with the four most severe of these flaws (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowing for Internet-to-baseband remote code execution. An attacker only needs to know the victim’s phone number to exploit these vulnerabilities. “Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” reads the advisory published by Google. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”

Experts warn that skilled threat actors would be able to create an exploit to compromise impacted devices in a stealthy way. The experts recommend turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in settings of vulnerable devices to prevent baseband remote code execution attacks. “Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.” states the report. Samsung Semiconductor’s advisories provide the list of Exynos chipsets impacted by these vulnerabilities.

Google did not disclose technical details of these flaws to avoid threat actors could develop their own exploits. “Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” said Project Zero team lead Tim Willis. The experts are disclosing details only for five vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, and CVE-2023-26076) that have exceeded Project Zero’s standard 90-day deadline.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.