And You Thought That Exynos Modem Was Your Friend
Buckle down, this is a rough ride. The Project Zero team at Google have reported 18 zero-day vulnerabilities affecting Exynos modems found in many Android cellphones over the past few months. All of the vulnerabilities have been given CVE designations, but all details about four of the 18 are being withheld until such time as there is a well spread solution for them. Those four allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and the only information they need is the phone number.
Baseband remote code execution vulnerabilities are rather nasty, stemming from the baseband software running your modem not having the security in place to prevent denial of service or code execution. The software can be updated, and has been in the past to resolve similar attacks. As this all takes place far below the user level, all of this can happen without any indication given to the user, not even a suspicious text or app appearing.
Unfortunately this requires the manufacture creating a fix, in this case Samsung, to pass on to providers to then push to their users. While many of us are more than capable of directly grabbing an Android update, some carriers only provide over the air updates and many users rely on them; assuming they ever actually acknowledge and apply said update.
The list of affected devices is long, Samsung’s S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A0 are all vulnerable as are Vivo S16, S15, S6, X70, X60 and X30 series phones. It also applies to any vehicles which use an Exynos modem in their entertainment systems. It is unclear just which vehicles those might be, but you can assume the updates will be even slower in coming.
Google have fixed the vulnerabilities in the Pixel 6 and Pixel 7 series, but don’t celebrate your choice until you read the first story below the fold.