Samsung
Google is urging owners of certain Android phones to take urgent action to protect against critical vulnerabilities that allow skilled hackers to covertly compromise their devices by making a specially crafted call to their number. However, it is not clear whether all of the requested measures are even possible, and even if they are, the measures will neuter devices with most voice calling capabilities.
The vulnerability affects Android devices using Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos Auto T5123 chipsets manufactured by Samsung’s semiconductor division. Vulnerable devices include Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are vulnerable ONLY when equipped with the Exynos chipset, which contains the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs on a Qualcomm Snapdragon chip.
One bug tracked as CVE-2023-24033 and three others that have not yet received a CVE designation allow hackers to run malicious code, according to Google’s Project Zero vulnerability team reported on Thursday. Code execution errors in baseband can be particularly critical as the chips are built with root-level system privileges to ensure voice calls work reliably.
“Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a baseband-level phone without user interaction, and all the attacker needs to know is the victim’s phone number,” wrote Tim Willis of Project Zero. “With limited additional research and development, we believe that experienced attackers would be able to quickly create an operational exploit to silently and remotely compromise affected devices.”
However, earlier this month, Google released a patch for vulnerable Pixel 7 models Fixes for Pixel 6 models have yet to be delivered to many if not all users (Project Zero’s post incorrectly states otherwise). Samsung released an update that patches CVE-2023-24033, but it has not yet been delivered to end users. There is no indication that Samsung has released patches for the other three critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that allow access at the deepest possible level.
The threat prompted Willis to put this advice at the top of Thursday’s post:
Until security updates are available, users who want to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Disabling these settings eliminates the risk of exploiting these vulnerabilities.
The problem is that it’s not entirely clear that it’s possible to turn off VoLTE, at least on many models. A screenshot of an S22 user posted on Reddit last year shows the option to disable VoLTE is greyed out. While this user’s S22 ran a Snapdragon chip, the experience for Exynos-based phone users is likely to be the same.
And even if it’s possible to turn off VoLTE, coupled with turning off Wi-Fi, that makes phones little more than tiny tablets running Android. VoLTE was widely deployed a few years ago, and since then most carriers in North America have stopped supporting legacy 3G and 2G frequencies.
Samsung officials said in an email that the company released security patches for five out of six vulnerabilities that “could potentially impact select Galaxy devices” in March and will fix the sixth bug next month. The email didn’t answer questions about whether any patches are now available to end users or whether it’s possible to turn off VoLTE. The email also didn’t make it clear that the patches have yet to be delivered to end users.
A Google representative, meanwhile, declined to provide the specific steps to implement the advice in the Project Zero brief. That means Pixel 6 users don’t have actionable mitigation actions while they wait for an update for their devices. Readers who find a way are invited to explain the process (with screenshots if possible) in the comments section.
Technical details were omitted from Thursday’s post due to the severity of the flaws and ease of exploitation by experienced hackers. In his Product Security Update PageSamsung described CVE-2023-24033 as “memory corruption while processing SDP attribute Accept-Type”.
“The baseband software does not properly validate the format types of the Accept-Type attribute specified by the SDP, which can lead to a denial of service or code execution in the Samsung baseband modem,” the advisor added. “Users can disable Wi-Fi calling and VoLTE to mitigate the impact of this vulnerability.”
Short for that Session Description Protocol, SDP is a mechanism for establishing a multimedia session between two entities. Its main use is to support streaming VoIP calls and video conferencing. SDP uses an offer/response model in which one party announces a description of a session and the other party responds with the desired parameters.
The threat is serious, but again, it only applies to people using an Exynos version of any of the affected models.
Until Samsung or Google say more, users of devices that remain vulnerable should (1) install all available security updates, paying close attention to patches CVE-2023-24033, (2) disable WiFi calling, and (3) explore Settings menu of your specific model to see if it is possible to turn off VoLTE. This post will be updated if any of the companies reply with more useful information.
Post updated to correct the definition of SDP.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24531101/PasskeyAndroid_3x2_LQ.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24534359/Screenshot_2023_03_24_at_11.14.22.png)
