Tuesday, March 21, 2023

If you have a Samsung cell phone there's a critical security bug you need to pay attention to

There's a very nasty security bug, and you need to change your phone's settings:

Google security analysts have warned Android device users that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack and remote-control their handsets knowing just the phone number.

Between late 2022 and early this year, Google's Project Zero found and reported 18 of these bugs in Samsung's Exynos cellular modem firmware, according to Tim Willis, who heads the bug-hunting team.

Four of the 18 zero-day flaws can allow internet-to-baseband remote code execution. The baseband, or modem, portion of a device typically has privileged low-level access to all the hardware, and so exploiting bugs within its code can give an intruder full control over the phone or device. Technical details of these holes have been withheld for now to protect users of vulnerable gear.

It's actually normal to withhold details until there's a fix.  The researchers contact the manufacturer and give them details so they can create a fix.  Releasing details before the fix is ready will just help the Bad Guys develop an attack.

So if you have one of these things, here's what you need to do:

According to Google, the following devices use potentially vulnerable Exynos modems: Samsung's S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 products; Vivo mobile devices including the S16, S15, S6, X70, X60 and X30 series; the Pixel 6 and Pixel 7 series of devices from Google; and vehicles that use the Exynos Auto T5123 chipset.

Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update. Until the other manufacturers plug the holes, Willis suggests turning off Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against baseband remote code execution, if you're using a vulnerable device powered by Samsung's silicon.

I don't use Android so can't really help with how to turn off WiFi calling and VoLTE, but it should be in the Settings.


Old NFO said...

One more reason to keep anything 'private' off your devices...

LindaG said...

We don't have those models, but I always have WiFi calling off.
My phone doesn't know what VoLTE is.
Thanks for this!

Rick C said...

This only applies to Samsung phone with Exynos chipsets. In the US, Samsungs use Qualcomm Snapdragons, so this isn't relevant.

Rick C said...

Also, IIRC, with the 3G networks finally shut down in the US, if you disable VoLTE you lose the ability to make a voice call.

Eric Wilner said...

My wife heard a summary of this, turned off those features on her Samsung phone, and warned me.
My Motorola phone doesn't seem to support WiFi calling, but I turned off VoLTE while investigating. This apparently disabled voicemail access and maybe also voice calls of any sort. Finding that Moto phones apparently aren't affected, I turned VoLTE back on.
I guess I should see exactly which model Samsung she has, and try to determine what chipset it uses.

TechieDude said...

This is why I use an iPhone.

I trust Apple only marginally more than Google. But at least they consider security in their ecosystem. Bad part - it's their ecosystem.