Major Security Flaw Discovered By Google In Samsung Modems - Check If Your Phone Is Affected
For several years, Samsung's Exynos chipsets have faced severe criticism for being not competitive enough compared to offerings from Qualcomm. These chips were notorious for offering poor battery life, suffered from overheating issues, and typically offered underwhelming camera and gaming performance. These issues had become a major PR nightmare for Samsung, leading to the company choosing not to release an Exynos-powered Galaxy S23 lineup for 2023. In fact, Qualcomm chipsets will likely power all flagship-grade Samsung smartphones for the foreseeable future. While Samsung refuses to give up on the Exynos lineup, it is becoming evident that these chipsets will mostly be relegated to Samsung's low-end and mid-tier smartphone offerings, at least for the foreseeable future.
And just when we thought things couldn't get any worse for the Exynos lineup, we now hear reports of a major security flaw affecting several Exynos chipsets. The security advisory comes from Google's Project Zero security team, who has also indicated that the issue affects the firmware used with Exynos-made modems. According to the report, hackers could exploit this vulnerability by simply sending a malicious SMS text to the victim's phone or by infecting the phone by installing an app with malicious code.
Once the hacker infects the target device, they could potentially take control of the device's microphone, camera, and other sensors. Even worse, they could also potentially access sensitive information stored on the phone — including passwords and photos. The post on the Project Zero blog also indicated that the flaw is relatively easy to exploit, even by teams with access to "limited additional research and development."
Is Samsung delaying a fix?
In all, the Project Zero team was able to detect 18 different vulnerabilities affecting Exynos modems. Four of these vulnerabilities were of an extremely serious nature and could potentially allow hackers to remotely access the phone without any user interaction. The only thing the hacker needed to know to gain access was the phone number of the potential victim. Google refused to share additional information about the vulnerability owing to the fact that they could be exploited very easily. The rest of the vulnerabilities the group identified were of a relatively minor nature, the blog post confirmed.
The Project Zero team had been aware of these issues since late 2022 and even alerted Samsung. However, Samsung has yet to issue a patch to fix the vulnerabilities even 90 days after they were warned about the same. In an unusual move, a researcher part of Project Zero even criticized Samsung for dragging its feet in issuing a fix.
End-users still don't have patches 90 days after report.... https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
The list of devices affected by these vulnerabilities includes last year's flagship smartphone — the Samsung Galaxy S23, two M-series devices (Galaxy M33, M13), a bunch of Galaxy A series phones ( A71, A53, A33, A21s, A13, A12, and A04), and Google's Pixel 6 and Pixel 7 lineup. In addition to these, the issue also affects several Vivo handsets that use the same Exynos modem. These handsets include the Vivo S16, S15, S6, X70, X60 and X30 series. Additionally, Google has indicated that the upcoming March security update should patch the issue for the Pixel devices.