Project Zero, Google’s team dedicated to security research, has found some major issues in the Samsung modems that power devices like the Pixel 6, Pixel 7, and some models of the Galaxy S22 and A53. According to his blog post, several Exynos modems have a series of vulnerabilities that allow “a remote attacker to compromise a phone at the baseband level without user intervention” without needing much more than the victim’s phone number. And, frustratingly, it seems Samsung is struggling to fix it.
The team also warns that experienced hackers could exploit the problem “with only limited additional research and development”. However, Google says the March security update for Pixels should fix the issue 9to5Google notes that it’s not yet available for the Pixel 6, 6 Pro and 6a (we also checked our own 6a and there was no update). The researchers say they believe the following devices may be at risk:
It’s worth noting that devices need to be used to be vulnerable one of the affected Samsung modems. For many S22 owners, that could be a relief: the phones sold outside of Europe and some African countries have a Qualcomm processor and also use a Qualcomm modem, so should be immune from these specific problems. But phones with Exynos processors, such as the popular midrange A53 and European S22, can be vulnerable.
In theory, the S21 and S23 are safe – Samsung’s most recent flagships use Qualcomm globally, and the older ones with Exynos chips use a modem that isn’t on Samsung’s list of affected chips.
If you know your phone is using one of the vulnerable modems, and you’re concerned about it being exploited (remember, attacks can “silently and remotely compromise affected devices”), Project Zero says you can protect yourself by Turn off Wi-Fi calling And Voice over LTE. Yes, your phone calls will be worse, but it’s probably worth it.
Traditionally, security researchers wait until a fix is available before announcing that they’ve found the bug, or until it’s been a certain amount of time since they reported it with no fix in sight. Looks like it’s the latter case here – if TechCrunch notesProject Zero researcher Maddie Stone tweeted that “end-users still don’t have patches 90 days after notification,” which seems to be an incentive for Samsung and other vendors to fix the problem.
Samsung did not immediately reply The edge‘s request for comment on why there doesn’t seem to be a patch yet.
In total, Project Zero found 18 vulnerabilities in the modems. Four are the really bad ones that enable “Internet-to-baseband remote code execution,” and Google says it’s not sharing any additional information on those at this time, despite its usual disclosure policy. (Again, due to the fact that it thinks they could be exploited very easily.) The rest were minor, requiring “either a malicious mobile network operator or an attacker with local access to the device.” To be clear, that’s still not great – we’ve seen how weak carrier security can be – but at least they’re not as bad as the others.