Google discovers 18 zero days in Samsung Exynos processor

Team Google on finding Project Zero bugs discovered 18 0-day chipset vulnerabilities Samsung Exynos used in popular smartphones, wearables and cars.

Exynos security flaws were reported between late 2022 and early 2023. Some of them have not been fixed since December 2022.

According to the head of Project Zero, Tim Willis, the only information needed to carry out attacks is the victim’s phone number. Even worse, with minimal additional effort, a skilled hacker can easily create an exploit capable of remotely compromising vulnerable devices without attracting the attention of victims.

4 out of 18 zero days were identified as critical RCE– Vulnerabilities that allow remote code execution on the device. The other 14 vulnerabilities are not critical, but still pose a risk. Successful exploitation requires local access or a malicious mobile operator.

The list of affected devices includes:

• Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series smartphones;
• Vivo S16, S15, S6, X70, X60 and X30 series mobile devices;
• Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro device series;
• any wearable devices based on the Exynos W920 chipset;
• any vehicles using the Exynos Auto T5123 chipset.

Although Samsung has already provided fixes to other vendors, they are not publicly available and cannot be applied by all affected users.

So far, only Google has patched the vulnerability (CVE-2023-24033) for affected Pixel devices in their March 2023 security updates. Other manufacturers will release updates as they become available. Until a fix is ​​available, users are advised to disable Wi-Fi calling and VoLTE to mitigate the attack vector.