Google's Project Zero uncovers 18 exploits in Samsung Exynos chips, list of affected devices

Google's Project Zero head, Tim Willis, recently reported that the team has uncovered 18-zero-day vulnerabilities in Samsung's Exynos modems.

Samsung Exynos Auto affected by exploits

More problems for Exynos chips?

Renowned for discovering 0-day vulnerabilities, Project Zero's recent blog post disclosed 18 vulnerabilities that including four (CVE-2023-24033 included) allow an attacker to execute remote code from the internet to the baseband level of a phone with no user interaction, requiring only the victim's phone number.

The team from Google confirms that skilled attackers could develop an operational exploit to compromise affected devices remotely and silently with limited additional research and development. The remaining 14 vulnerabilities are considered as 'less' severe where they require a malicious mobile network operator or an attacker with local access to the device.

Samsung Semiconductor has released advisories that identify the Exynos chipsets that are vulnerable to security flaws.

List of affected devices (based on public information from Samsung Semiconductor):

1. Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series

2. vivo S16, S15, S6, X70, X60 and X30 series

3. Google Pixel 6 (Exynos 5123) and 7 (Exynos 5300) series from google

4. Wearables with Exynos W920 chipset

5. Vehicles with Exynos Auto T5123 chipset

6. Samsung Galaxy Watch 4 and 5

Google has already addressed the main CVE-2023-24033 vulnerability in March 2023. For Pixel 6, 6 Pro, and 6a users, the March 2023 Security patch has not been released which leaves these devices vulnerable.

It is recommended to keep your devices updated regularly to address disclosed and undisclosed vulnerabilities. 

Are your devices affected?

What do you guys think?

Source: Project Zero, Samsung, Via: FoneArena