Update: Samsung addressed five (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076) of the eighteen 0-day vulnerabilities in Exynos Modems through the March 2023 security patch. One vulnerability identified as CVE-2023-24033, mentioned by Samsung Semiconductor in January, may have remained unpatched and passed Project Zero's standard 90-day deadline.
The remaining twelve vulnerabilities have not passed the 90-day deadline and have not yet been assigned CVE-IDs for security reasons. They may or may have not been patched already. For the time being, these vulnerabilities and potential fixes remain undisclosed.
In addition, Samsung Semiconductor updated its advisories to remove the Exynos W920 SoC as an affected chip, and Project Zero followed suit.
Until Samsung patches these Exynos security vulnerabilities, affected users can disable Wi-Fi Calling and Voice-over-LTE (VoLTE) on their mobile devices to minimize the risk of being attacked.
Original story follows.
Google’s Project Zero security research team has found 18 vulnerabilities in Samsung phones powered by the Exynos chip. Notably, the vulnerabilities give hackers a free way to access your phones with the help of your phone number. According to a blog post, a bunch of Samsung Galaxy S, M, and A series phones are prone to these 18 vulnerabilities.
Security researchers do not disclose the vulnerabilities until after they are resolved. Project Zero researcher Maddie Stone tweeted that Samsung is still not concerned about this exploit, and affected phones still don’t have patches 90 days after the report. As per the researchers, not only Galaxy S, M, and A series phones but also some Vivo and Pixel 6 and 7 series phones are also affected by this Exynos chip vulnerability.
Critical bug affecting Galaxy phones using Exynos chips are related to VoWiFi and VoLTE
Galaxy phones that are affected by the Exynos chip vulnerability are the Galaxy S22, Galaxy M33, Galaxy M13, Galaxy M12, Galaxy A71, Galaxy A53, Galaxy A33, Galaxy A21 Galaxy A21s, Galaxy A13, Galaxy A12, and Galaxy A04 series. Also, any wearables that use the Exynos W920 chipset or any vehicles that use the Exynos Auto T5123 chipset are also exposed to hackers thanks to the Exynos chip vulnerability.
The good news for owners of the Pixel 7 series is that Google has already patched this issue in its March security update. The update, however, hasn't reached the Pixel 6, Pixel 6 Pro, and Pixel 6a.
Coming back to Samsung, if you have any of the above-mentioned Galaxy phones, then it is advised that you disable the Wi-Fi calling feature and the VoLTE (Voice-over-LTE) feature on your phones. Also, you should frequently check for the latest security update and, if available, install it right away.
