Google’s Project Zero is warning of multiple significant vulnerabilities found across many models of mobile devices including Samsung Galaxy, Google Pixel, Vivo, and several forms of wearable and vehicles using certain types of components.
Between late 2022 and early 2023, Project Zero reported 18 vulnerabilities in a chip powering those devices. Of those 18, a total of four vulnerabilities are tagged as “top-severity” which could allow for silent compromise over the network.
Which devices are affected?
The list of impacted technology is as follows:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- The Pixel 6 and Pixel 7 series of devices from Google
- Any vehicles that use the Exynos Auto T5123 chipset
The four most severe vulnerabilities could allow attackers to remotely compromise a device, with no physical interaction required at any stage of the proceedings. The only thing an attacker requires for the compromise to take place is knowledge of the intended victim’s phone number.
The other fourteen, while still bad, are nowhere near as severe, and for them to be successful requires either a malicious mobile network operator or an attacker with local access to the device.
Meanwhile, the Google Security research team believes that the most severe vulnerabilities would allow skilled attackers to create an operational exploit in a short space of time.
Patching and scope of threat
While Google mentions that patching will be dependent on manufacturer, PIxel phones (for example) have already been patched against CVE-2023-24033 in the March security update. If a patch isn’t forthcoming for your own device yet, Google has some suggestions to help keep your technology safe from harm. If your device allows you to, switch off two settings called:
- Wi-Fi calling
- Voice-over-LTE (VoLTE)
This will prevent the risk of exploitation. One potential ramification of disabling VoLTE is that in recent years it has become something of a necessity for some mobile networks. If you’re able to turn it off, then based on the information available you may experience poor call quality and lack of certain features and functionality. On the other hand, VoLTE is “not available everywhere on every network, or on every handset” so it may not matter too much anyway depending on your make and model.
As for scope, depending on where your device is from you may not be running the vulnerable type of chip needed for the exploit to be successful. The Verge notes that phones sold outside of Europe and some African countries” use something else altogether. In those instances, you should be fine.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.