Google says hackers could silently own your phone until Samsung fixes its modems


Project Zero, Google’s team dedicated to security research, has found some big problems in the Samsung modems that power devices like the Pixel 6, Pixel 7, and some models of the Galaxy S22 and A53. According to its blog post, a variety of Exynos modems have a series of vulnerabilities that could “allow an attacker to remotely compromise a phone at the baseband level with no user interaction” without needing much more than a victim’s phone number. And, frustratingly, it seems like Samsung is dragging its feet on fixing it.

The team also warns that experienced hackers could exploit the issue “with only limited additional research and development.” Google says the March security update for Pixels should patch the problem — though 9to5Google notes that it’s not available for the Pixel 6, 6 Pro, and 6a yet (we also checked on our own 6a and there was no update). The researchers say they believe the following devices may be at risk:

It is worth noting that, in order for devices to be vulnerable, they have to use one of the affected Samsung modems. For a lot of S22 owners, that could be a relief — the phones sold outside of Europe and some African countries have a Qualcomm processor and also use a Qualcomm modem, and thus should be safe from these specific issues. But phones with Exynos processors, like the popular midrange A53, and European S22, might be vulnerable.

In theory, the S21 and S23 are safe — Samsung’s most recent flagships use Qualcomm worldwide, and the older ones with Exynos chips use a modem that doesn’t appear on Samsung’s list of affected chips.

If you know your phone uses one of the vulnerable modems, and you’re concerned about it being exploited (remember, attacks could “compromise affected devices silently and remotely”), Project Zero says you can protect yourself by turning off Wi-Fi calling and Voice-over-LTE. Yes, your calls will be worse, but it’s probably worth it.

Traditionally, security researchers will wait until a fix is available before announcing that they’ve found the bug, or until it’s been a certain amount of time since they reported it without any fix in sight. It seems like it’s the latter case here — as TechCrunch notes, Project Zero researcher Maddie Stone tweeted that “end-users still don’t have patches 90 days after report,” which appears to be a prod at Samsung and other vendors that they need to deal with the issue.

Samsung didn’t immediately reply to The Verge’s request for comment on why there doesn’t appear to have been a patch yet.

In total, Project Zero found 18 vulnerabilities in the modems. Four are the really bad ones that allow “Internet-to-baseband remote code execution,” and Google says it’s not sharing additional information on those right now, in spite of its usual disclosure policy. (Again, due to the fact that it believes they could very easily be exploited.) The rest were more minor, requiring “either a malicious mobile network operator or an attacker with local access to the device.” To be clear, that’s still not great — we’ve seen how flimsy carrier security can be — but at least they’re not quite as bad as the others.

#Google #hackers #silently #phone #Samsung #fixes #modems


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *