Project Zero’s cybersecurity team has set off alarm bells at Samsung, Vivo and Google. the researchers have discovered a series of severe vulnerabilities that open the door to compromise the security of certain models of smartphones.
Attackers only need to know their target’s phone number. With this information, and enough expertise, they can infiltrate the smartphone silently and remotely. That is, without the victim realizing they are being hacked and without falling into some kind of trap.
Silent (and dangerous) attacks
The origin of the problem, according to the researchers, lies in four vulnerabilities found in the Samsung Exynos modems between the end of 2022 and the beginning of 2023. These are “zero-day” vulnerabilities, which means that manufacturers were unaware of their existence.
The vulnerabilities (CVE-2023-24033, CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498) allow remote code execution from the Internet to baseband, also known as base bandon devices that have the feature enabled for calling over WiFi (VoWiFi) or over LTE (VoLTE).
Affected devices include Samsung Galaxy S22 with Exynos chip (models sold in the US and other markets have Qualcomm chips and they are out of danger) and various devices from other ranges, specifically the M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04.
Also included in the Project Zero list are Google’s Pixel 6 and Pixel 7 phones, as well as the Vivo S16, S15, S6, X70, X60 and X30, and vehicles with the Exynos Auto T5123 chip. If you are a user of any of the aforementioned devices, it is important to follow the recommendations of the experts.
As this is a recently discovered zero-day vulnerability, not all vendors have released patches to address it and, in some cases, they may take time to arrive. At the moment, only Google Pixel devices will be protected after installing the March Android security update.
In the case of models from other manufacturers, until they address the problem with security updates, Project Zero recommends disabling VoWiFi and VoLTE functions to be temporarily protected. In this way, the attack path hackers could use is eliminated.
Images: screen post | Google
In Xataka: What the Reddit hack teaches us about the dangers of phishing, even if you’re worth $10 billion