Vulnerabilities found in Samsung's Exynos modems can lead to loss of control over smartphone: On which devices are they used?

Google's Project Zero team has announced that there are serious vulnerabilities in Exynos modems that pose a threat to smartphones and as a result, users can lose control over their devices. Fortunately, users have an option to protect their information before updating the software.

As reported by 9to5google.com, Exynos modems are used in Pixel 6 and 7 flagships, as well as many Samsung, Vivo smartphones, as well as many wearable devices, mainly smart watches.

In late 2022 and in early 2023, Project Zero discovered 18 Exynos modem vulnerabilities. Four of them, including CVE-2023-24033, allow hackers to remotely execute code on users' devices, compromising phones. For them to do that, it is enough to know the phone number of the victim. Google believes that skilled hackers will be able to quickly find solutions to use this feature to their advantage.

Project Zero has found another 14 vulnerabilities that are not so critical and require either the involvement of a rogue mobile network operator or an attacker's "local" access to the device. According to Samsung, as of January 2023, the issue affects the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 chips.

Google has compiled the list of vulnerable products.

• Samsung Galaxy smartphones, including S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
• Vivo smartphones including S16, S15, S6, X70, X60 and X30 series;
• Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro smartphones,
• All wearable devices with Exynos W920 chipsets;
• All vehicles using Exynos Auto T5123 chipsets.

In addition to the Pixel 6 (Exynos 5123) and Pixel 7 (Exynos 5300), the vulnerabilites refer to the flagship Galaxy S22 and the Galaxy Watch 4 and 5. The core vulnerability CVE-2023-24033 in some Pixel smartphones has already been fixed by the patch released on March 13. However, the Pixel 6, 6 Pro, and 6a have yet to receive the March update and are still vulnerable, according to 9to5google.

As a temporary protection measure, Project Zero recommends disabling Wi-Fi calling and Voice-over-LTE (VoLTE) features before a pending software update. Though, according to Sprint/T-Mobile, VoLTE is automatically enabled on Google Pixel smartphones in 2021 due to updates and it is impossible to disable it by conventional means. However, this function can be disabled in models of other brands.