Hackers Only Need To Know Your Phone Number To Pwn Samsung Exynos Based Devices

Google’s Project Zero team has posted a blog post that paints a pretty scary picture for Pixel and Samsung owners:

In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

The fourteen other related vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that are yet to be assigned CVE-IDs) were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.

The following devices are known to be affected by these exploits:

  • Samsung phones including the Galaxy S22 series, the Galaxy M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
  • Vivo phones including the S16, S15, S6, X70, X60 and X30
  • Google Pixel 6 and 7 series
  • Wearables using the Exynos W920 chipset
  • Vehicles that use the Exynos Auto T5123 chipset

That’s a very big list. And I have to wonder what cars use Exynos based modems. I guess we will find out shortly. In any case, the mitigation until updates come out is to turn off Wi-Fi calling and Voice-over-LTE (VoLTE). You should be able to find both of these in the Settings menu under Network & internet > SIMs, though the exact location may vary from device to device. If you have a vehicle that uses this chipset, I have no mitigation for you. And I have no way for you to check your vehicle to see if you have this Exynos chipset.

Expect patches for phones and wearables to come out soon, if they haven’t already. As for vehicles, your guess is as good as mine.


David Maynor, Senior Director of Threat Intelligence at Cybrary had this to say:

   “The flaw in the baseband component is important for enterprise customers to be aware of but not for the reasons it seems. The baseband component is the radio that communicates with cellular infrastructure. The software is a binary blob that’s encrypted, and there are not good ways to inspect the baseband state. So, you have a place you can’t monitor with software you can’t inspect that creates a perfect place for bad guys to do nefarious things.”

Ted Miracco, CEO of Approov followed up with this:

   “The discovery of 18 vulnerabilities in Samsung’s Exynos chipsets is deeply unsettling, especially given that four of them enable remote code execution without any user interaction or indication. Overall, the discovery of these vulnerabilities highlights the importance of ongoing security research and the need for vendors to prioritize mobile security in their products. While, It also serves as a reminder for users to remain vigilant and take steps to protect themselves from potential attacks, the fact that an attacker only needs the victim’s phone number to carry out these attacks further highlights the severity of these vulnerabilities.”

Leave a Reply

%d bloggers like this: