A new report from Project Zero, Google’s internal security research team, says that a laundry list of devices using Exynos modems are at a high risk of major security breaches that would give remote users the ability to very easily “compromise a phone at the baseband level.” Notably, the recently released Pixel 7 is among those that are open to attack, alongside the Pixel 6 and Samsung Galaxy S22, to name just a few.
Obviously, this is a major issue, but not all hope is lost, as the problem is certainly fixable. The big question is when a fix for all affected devices is coming. Here’s everything you need to know about the vulnerability and what you can do to keep your smartphone safe.
The report from Project Zero says that the vulnerabilities originate in Exynos modems that are made by Samsung Semiconductor. According to tests conducted by Project Zero, affected devices were able to be compromised by the attacker simply knowing the victim’s phone number. Due to the severity of the issue, Project Zero believes that “skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
Because of how much sensitive information is kept on smartphones, this could turn into a major issue if not dealt with immediately. Project Zero found 18 vulnerabilities in the Exynos modems, but luckily, only four of them have the severe issues mentioned above. The other 14 are described as “not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.”
The unfortunate part of the vulnerability is that Project Zero lists more than 20 devices that are at risk. According to their findings, users with the following devices may be at risk to one of the 18 vulnerabilities:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60, and X30 series
- The Pixel 6, Pixel 6a, Pixel 6 Pro, Pixel 7, and Pixel 7 Pro
- Any vehicles that use the Exynos Auto T5123 chipset
Galaxy owners will take note that the Galaxy S21 and the Galaxy S23 lines are absent from the list on account of the fact that they use Qualcomm modems. The S22 models that are affected should just be the ones in select European and African countries since the rest of the world’s S22 devices also use Qualcomm modems.
While things may look bad currently for devices using Exynos modems, there are some things that owners can do to keep their phones safe. The first is to turn on auto-updates for any potentially affected devices. With that turned on, the phone will get security patches as soon as they go live. Google has already started focusing on resolving the issue and reports that its March security update should fix any issues with its hardware.
What about Samsung? In response to these security issues, Samsung gave Digital Trends the following statement:
“Samsung takes the safety of our customers very seriously. After determining 6 vulnerabilities may potentially impact select Galaxy devices, of which none were ‘severe’, Samsung released security patches for 5 of these in March. Another security patch will be released in April to address the remaining vulnerability.”
“As always, we recommend that all users keep their devices updated with the latest software to ensure the highest level of protection possible.”
As device owners wait for fixes, Project Zero has some suggestions regarding what they can do to minimize their risks, including turning off Wi-Fi calling and voice-over-LTE (VoLTE.) Doing this will potentially degrade the audio quality of your phone calls, but the alternative of remaining at risk is much worse. Other than adjusting those two settings, there’s not much else that can be done as we all wait for the potential fixes to go live.