Through its Project Zero initiative, Google announces the discovery of 18 vulnerabilities attributed to the built-in modem with recent generations of Samsung Exynos chipsets. At least four of these could be exploited by hackers to gain remote control over devices, knowing nothing more than the phone number of the selected victim.
Created to help the entire industry discover and fix security problems before those vulnerabilities become available to criminal groups and state actors engaged in mass espionage/surveillance, Google’s Project Zero initiative has made a significant contribution to improving online security. The latest “exploit” is the identification of no less than 18 security flaws in Samsung chipsets, at least 4 of which are severe enough to give hackers unlimited access to attacked devices.
Normally, security researchers do not disclose major vulnerabilities until after they have been communicated and fixed by the administrator of the respective platform. But in this case it would appear that Samsung neglected the reported problems long enough to trigger the “public opprobrium” stage, with the announcement (but not with demo samples) of the discovered exploits coming 90 days after the initial, confidential report.
According to Project Zero researchers, the list of vulnerable Exynos devices is a thick one:
- Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
- Vivo S16, S15, S6, X70, X60, X30
- 6 and Pixel 7 series
- Exynos W920 smartwatch devices and accessories
- Vehicles equipped with Exynos Auto T5123 entertainment system
Virtually any phone equipped with a recent-generation Exynos chipset is vulnerable, and it’s up to Samsung to provide a fix as soon as possible.
In the meantime, the only workaround for blocking this vulnerability is to disable Wi-Fi calling and Voice-over-LTE (VoLTE). While it avoids loss of internet connectivity, the tweaks require a fairly good knowledge of the setup menus, leaving less experienced users on the sidelines.