Hackers can take control of some Samsung or Pixel phones with just your phone number

XDA

By Adam Conway

Published Mar 17, 2023

If you don't have the March 2023 security update, you should probably disable Wi-Fi Calling and VoLTE.

Pixel 7 Pro in Snow

We trust our smartphones with pretty much everything in our lives, and in return, we expect them to be secure and safeguarded against attacks. That's usually the case, and monthly security updates go a long way in protecting our data. However, if you have a Google Pixel or a Samsung phone, you should probably be wary. Google's Project Zero, its bug-hunting team, has identified eighteen security vulnerabilities that affect Exynos modems, and combining them can give an attacker full control over your smartphone without you even knowing.

The vulnerabilities were discovered in late 2022 and early 2023, and four of the eighteen vulnerabilities are deemed to be the most critical as they enable remote code execution with just the victim's phone number. Only one of the most serious exploits has a publicly assigned Common Vulnerabilities and Exposures (CVE) number, with Google withholding a number of CVEs associated with this vulnerability in a rare exception to normal bug disclosure protocol.

The following devices are affected, according to Google's Project Zero.

Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
The Pixel 6 and Pixel 7 series of devices from Google; and
any vehicles that use the Exynos Auto T5123 chipset.

This bug has been fixed in the March security update, which the Pixel 7 series already has. However, the Pixel 6 series does not have it yet, and Google says that users who are using unpatched devices should disable VoLTE and Wi-Fi Calling. Tim Willis, the head of Project Zero, said that "with limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." In other words, a user could have their device compromised and potentially not even know about it, and it seems like it might be pretty easy for some attackers to find and exploit as well.

As for the major exploit that we do have information on, CVE-2023-24033, its description simply says that the affected baseband modem chipsets "do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service." A denial of service in this context typically means that an attacker can remotely lock your phone up and prevent you from using it, though no additional details are given.

The other fourteen vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine others awaiting CVEs) aren't as critical but still carry risk to the end user. For successful exploitation, they require "either a malicious mobile network operator or an attacker with local access to the device."

For users who are waiting on an update and are using an affected device, be sure to disable VoLTE and Wi-Fi Calling for now. If you have the March security update available but haven't updated yet, it might be time to do so.

Source: Google Project Zero