Exynos Modems

Overview

Google Project Zero listed 18 vulnerabilities in Samsung Exynos modems produced by Samsung Semiconductor. The four most severe vulnerabilities are CVE-2023-24033, CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498, which allow for remote exploitation of the baseband from the internet, thereby permitting attackers to compromise the phone without any user interaction. It only requires the attacker to know the victim's phone number. The other 14 vulnerabilities are not as severe as they either need a malicious mobile network operator or local access to the device. Affected device models:

• Devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
• The Pixel 6 and Pixel 7 series of devices from Google

While the affected Pixel devices have received fixes for all four CVEs mentioned above in their March ASPL update, others have not yet released a patch. In the case of a compromised device, Lookout will be able to detect the compromise and alert both the user and the admin Users with affected devices, if allowed by the carrier, can also protect themselves by turning off WiFi calling and voice over LTE in their device settings.

‍

Lookout Analysis

While there has only been a limited amount of information published regarding these vulnerabilities, we know that CVE-2023-24033, CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498 are capable of remote code execution and should be considered highly severe. An attacker would likely use these vulnerabilities as an entry point to a device and then pivot from the baseband to compromise the operating system running on the application processor where they would have access to user data.