Posted on March 18, 2023 at 2:41 PM
Smartphones have become an important piece of people’s daily lives. However, these devices are usually prone to major threat attacks, despite many people hoping that their devices are secure and can protect their sensitive data from falling into the hands of threat actors. A recent report noted that Google Pixel and Samsung phones are prone to a critical vulnerability.
Hackers control Samsung and Google Pixel devices
The report has singled out Samsung and Google Pixel devices as prone to being targeted by threat actors. Google’s Project Zero, a bug-hunting team, identified the vulnerabilities with these phones. The team detected eighteen vulnerabilities targeting Exynos models.
If a threat actor exploits these vulnerabilities, they can have full control over a smartphone without even the smartphone owner detecting that a threat actor has hijacked their device. The vulnerabilities in question were detected between late 2022 and early 2023.
Four of the vulnerabilities detected by this bug-hunting team have been raked as critical. The bugs allow the hackers to use remote code execution using the victim’s phone number. In one of the exploits, a Common Vulnerabilities and Exposures (CVE) number was publicly assigned.
Despite the vulnerabilities posing a significant threat to Google, the tech giant has withheld several CVEs related to the threat. The action taken by Google differs from the protocol used to disclose bugs within a system to ensure that users are made aware and employ the appropriate mitigation measures to shield their systems from exploits.
Google’s Project Zero singled out the devices at risk of being exploited using these vulnerabilities. The list includes Samsung model devices including the A04, A12, A13, A1s, A33, A53, A71, M12, M13, M33 and S22. It also affects the Pixel 6 and Pixel 7 series by Google.
The bug can also be exploited on Vivo mobile devices, including the S6, S15, S16, X30, X60, and X70 series. All mobile devices that use the Exynos Auto T5123 chipset are also prone to this vulnerability.
Google has released a patch to the flaw in the March security update. The Google Pixel 7 series already has this update, meaning that users that deploy the patch will no longer be at risk of exploitation. However, the Google Pixel 6 series does not have the patch.
According to Google, those using devices that have yet to install the patch need to disable VoLTE and avoid making Wi-Fi calls. Such measures will reduce the possibility of the bug being exploited by a threat actor before the patch is deployed.
Skilled hackers could start exploiting the bug
The head of Google’s Project Zero, Tim Willis, said that there was a possibility that skilled hackers could start exploiting devices by exploiting the vulnerability. Moreover, such hackers could start exploiting compromised devices without alerting the victim.
“We believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Wills said. Moreover, a user of any vulnerable device could continue using their gadgets without knowing that a hacker has gained control. The critical nature of the vulnerability and the vast user base for these devices make the flaw easy for some threat actors to exploit.
The Project zero team also focused on a flaw tracked as CVE-2023-24033. The description for the flaw says that it has affected baseband model chipsets. It notes that the chipsets do not check the format types formally, as specified by the Session Description Protocol (SDP) module. If threat actors exploit the flaw, it could result in a distributed denial-of-service (DDoS) attack.
In a DDoS campaign, a threat actor can lock up the user’s device and prevent them from using it. No comprehensive details have been given regarding this flaw and how hackers can exploit it.
The remaining 14 vulnerabilities, some of which have been assigned CVEs and some that have not, are not ranked as critical. However, the flaws still carry a risk to the end user. In cases where the flaw that been exploited successfully, the attacker will need a malicious mobile network operator or an attacker with remote access to the targeted device.
Most of the affected devices have not issued a patch for this flaw. Therefore, those using such devices are advised to disable Wi-Fi calling and VoLTE. However, the users that use devices with an update are advised to deploy the patch and lower the possibility of infection.