Samsung “internet-to-baseband” bug can be attacked over the phone

By

Technical details secret for now.

A bug in Samsung’s Exynos baseband modems is so exploitable, Google’s Project Zero has made the unusual decision to conceal details of the vulnerability.

Samsung “internet-to-baseband” bug can be attacked over the phone

Project Zero advises owners of affected devices to disable Wi-Fi calling and Voice-over-LTE (VoLTE) until a firmware upgrade arrives, to block the “internet-to-baseband” attack vector.

In its advisory, Project Zero said the vulnerabilities “allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number.

“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”

The four critical vulnerabilities are CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs.

There are another fourteen less serious bugs, CVE-2023-26072CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that are yet to be assigned CVE-IDs.

Affected phones include Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 mobiles; Vivo S16, S15, S6, X70, X60 and X30 series mobiles; Google’s Pixel 6 and Pixel 7 series; along with any wearables that use the Exynos W920 chipset; and any vehicles that use the Exynos Auto T5123 chipset.

Samsung is yet to ship updated firmware, and to date, has only disclosed the five less serious vulnerabilities.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?