Google advises Android users to take action after finding 18 zero-day vulnerabilities...

[midian182]

In brief: Google has issued a warning to users of certain Android handsets, wearables, and vehicles after its Project Zero team of security analysts reported eighteen zero-day vulnerabilities in Exynos Modems produced by Samsung.

Google Project Zero head Tim Willis wrote that the four most serious of the eighteen vulnerabilities, all of which were reported in late 2022 and 2023, allow an attacker to remotely compromise a phone at the baseband level with no user interaction. Compromising a vulnerable device would only require an attacker to know a target's phone number.

A hacker exploiting one of the vulnerabilities would gain total access to all the data moving to and from the device, including calls, texts, and cellular data. Willis writes that skilled attackers could quickly create an operational exploit to compromise affected devices silently and remotely.

The remaining 14 vulnerabilities were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.

Pixel owners don't have to worry

Google listed some of the devices featuring the Exynos chipsets that are likely impacted by the vulnerabilities:

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
• The Pixel 6 and Pixel 7 series of devices from Google
• Any wearables that use the Exynos W920 chipset (inc., the Galaxy Watch 4 and 5)
• Any vehicles that use the Exynos Auto T5123 chipset.

The good news for owners of affected Pixel devices is that they were already patched in the March 2023 security update. Project Zero researcher Maddie Stone tweeted that despite having 90 days to patch the vulnerabilities, Samsung still hasn't done so.

End-users still don't have patches 90 days after report.... https://t.co/dkA9kuzTso

— Maddie Stone (@maddiestone) March 16, 2023

For owners of the handsets that have yet to be patched, Google recommends switching off Wi-Fi calling and Voice over LTE (VoLTE) in the device settings to remove the exploitation risk of these vulnerabilities.

Permalink to story.

https://www.techspot.com/news/97971-google-advises-android-users-take-action-after-finding.html

 

[kiwigraeme]

Wi-Fi calling and Voice over LTE (VoLTE) ,

It really is an another attack surface - surely most people get unlimited calls now in their plans - so that leaves with who just have internet not not mobile coverage - quite specific - so 95% can turn if off

 

[OortCloud]

It always makes me wince when they advertise Chromebooks as the 'safe' alternative to Windows. Android has more holes than a colander, and their marketplace is a lawless swamp.

 

[trparky]

Wi-Fi calling and Voice over LTE (VoLTE)

Wi-Fi calling is often used when there's low or no cellular signal. Voice over LTE is often used to provide better sound quality for calls; it uses data over LTE to make the call.

 

[wiyosaya]

It always makes me wince when they advertise Chromebooks as the 'safe' alternative to Windows. Android has more holes than a colander, and their marketplace is a lawless swamp.

Google is definitely full of it's own Hubris. What mega-company/mega-rich person isn't?

 

[fluffydroid]

Is the Galaxy S20 affected? EDIT: nevermind, this is for Exynos chips, and I have a Snapdragon model.

 

[ICUB4UCME]

Disable Wifi Calling and VoLTE.......since, to my knowledge, major US cell carriers have all but discontinued 2g/3g calling so all calls are either Volte or WiFi this makes for a very cute suggestion.

 

[PEnnn]

Just another day in the Android jungle

 

[Jerry in WA]

All of our local carriers require VoLTE phones. We had to get 2 new phones last year to replace phones that were quite new and decent, but weren't "approved", supposedly over VoLTE capabilities. If we can actually use our phones without VoLTE, it sure feels like we made a lot of perfectly good phones obsolete for nothing.

 

[Avro Arrow]

I've never been so glad that my phone is a Motorola.

 

[Tom Yum]

It always makes me wince when they advertise Chromebooks as the 'safe' alternative to Windows. Android has more holes than a colander, and their marketplace is a lawless swamp.

ChromeOS has very little in common with Android from a code-base perspective. Android apps on ChromeOS run in a protected container. No software that touches the internet is 'safe', but ChromeOS has a much smaller attack vector than Windows.

Windows 11 vulnerability statistics: https://www.cvedetails.com/product/102217/Microsoft-Windows-11.html?vendor_id=26
ChromeOS vulnerability statistics: https://www.cvedetails.com/product/20320/Google-Chrome-Os.html?vendor_id=1224

 

[kiwigraeme]

Wi-Fi calling is often used when there's low or no cellular signal. Voice over LTE is often used to provide better sound quality for calls; it uses data over LTE to make the call.

thanks - I looked it up before I posted - my ISP gives me a free LTE home number - free national calls - rarely use it - but takes number of old copper wire - had LTE phones at ny business before I sold it.
There are remote valleys in NZ with fiber but not cell coverage so I understand those.
Maybe 95% a bit optimistic - but most people can turn if off.
Also I do wonder if this allows another way to spoof a number .

I never log in anyone else wifi with my phone - turn BT off when not needed - I effectively have unlimited data - though probably use less than a 1 Gb a month ( I think 10 or 20 full speed - then slowed - can't remember as don't need it - put niece and nephew on plan and they use it )

 

[sdms96825]

"The good news for owners of affected Pixel devices is that they were already patched in the March 2023 security update."

So, I just checked my Pixel 6 Pro.
It says my system is up to date.
Android version: 13
Android security update: February 5, 2023

Do I or do I not have the "March 2023" security update?
If not, why can I not download it?

 

[nismo91]

First of all this is upsetting because there are so many phones powered by Exynos. Google couldn't even bothered to publish a full report as in which chipset type were affected. Remember spectre?

Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series

This is not enough information to go.
S22: Exynos 2200
M33, A53, A33: Exynos 1280
A21 and A12 uses MTK chip, A71 uses Snapdragon chip. The A71 5G uses Exynos 980 (see below)
perhaps A21s, M13, M12, A13, A04s, A12(India): Exynos 850

there are many low end phones from samsung that uses Exynos 850. these phones should also be vulnerable:
Samsung M12, A21s, A04s, Xcover5, F12, F13.

Vivo S15e (indicating exynos), Vivo S16e, X60 series and X70 series uses Exynos 1080. so far no other phone seems to use this chipset.

Vivo S6 and X30 series use Exynos 980. This chipset is also used by Samsung A51 5G and A71 5G.

TLDR: If your phone uses Exynos 850, 980, 1080, 1280 and 2200 you are affected. was that so hard?????

 

[MrCommunistGen]

It looks like although Pixel 7 series devices have gotten the March update, it doesn't look like the Pixel 6 OTAs are available yet. I suspect that this critical patch is why the Pixel 7 Mar 2023 update was late -- they were adding this security fix in at the last minute.

The Pixel 6 is probably receiving that treatment now. Unfortunately, since it uses a different (but still affected) modem, it's probably a different process for integrating the patch, validating that it works, and QAing it for regressions.

A bit annoyingly, it appears that Android 13 seems to have removed the VoLTE toggle on many (all?) Pixel 6/7 devices, so this isn't really a valid workaround.

To try to ensure the Pixel 6 device was no longer using VoLTE, I disabled VoWi-Fi, disconnected it from Wi-Fi for good measure, and then tried turning off Mobile Data. Unfortunately, that still resulted in the device initiating an HD voice call, meaning VoLTE was still enabled. It must not count VoLTE as "Data" since it doesn't count towards your monthly data usage with your carrier *shrugs*. So that's NOT a valid way to disable VoLTE on your Pixel 6.

It's probably much ado about nothing, but the only way I figured out to actually get VoLTE disabled on the Pixel 6 was to essentially disable calling and texting -- I put it into Airplane mode and then just re-enabled Wi-Fi and Bluetooth. YES this is frustrating and NO this isn't going to work for a lot of people... but I barely text (I mostly use other data driven messaging services) and the only phone calls I receive are robocalls. I couple days of no robocalls will actually be nice. I'll turn Airplane mode off periodically to pull in texts until the Pixel 6 patch comes out (hopefully soon).

Having both a Pixel 6 and a Pixel 7 in my household, it was a bit cumbersome to try to figure all this out.

 

[MrCommunistGen]

Hmm, looks like sometime today, maybe even as I was writing my previous reply Google released the OTA for the Pixel 6.