After discovering 18 Samsung Exynos modem vulnerabilities, Google Project Zero veered from its standard disclosure policy for four of the zero-day flaws because public disclosure might have put users at significant risk.
In a blog post Thursday, Tim Willis, senior security engineering manager and head of Google Project Zero, described -- but did not detail -- the 18 vulnerabilities that likely affect certain Samsung and Vivo mobile devices, the Pixel 6 and 7 series of devices from Google, and any vehicles that use the Exynos Auto T5123 chipset. While there has been no active exploitation yet, Willis warned that four of the 18 flaws allowed for internet-to-baseband remote code execution (RCE).
Attacks exploiting those four flaws require no user interaction, and threat actors could remotely compromise a mobile device at the baseband level by simply knowing the victim's phone number. Google believes attackers could "quickly create an operational exploit" to weaponize the vulnerabilities.
Google recommended mitigation steps for the unpatched RCE vulnerabilities as well. Affected users should turn off Wi-Fi calling and voice over LTE in their device settings, Willis emphasized in the blog.
Protecting personal devices is increasingly important due to a steady rise in hybrid and remote work, with mobile phones more likely to contain sensitive business information.
Project Zero typically follows the 90-day vulnerability disclosure policy and discloses vulnerabilities to the public after that deadline has expired. However, the disclosure process for four of the Exynos flaws was less than traditional because of the high risk they posed to security.
"Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution," Willis wrote in the blog post.
Google initially reported the 18 zero-day vulnerabilities in Exynos modems, which are produced by Samsung Semiconductor, in late 2022 and early 2023. So far, only one of the four most severe flaws has been assigned a CVE ID, tracked as CVE-2023-24033. It received a critical CVSS score of 9.8 out of 10. Pixel released a fix for CVE-2023-24033 earlier this month, but Google said patch timelines for all the flaws will vary by manufacturer.
Samsung released advisories for five of the chipset flaws earlier this month, but provided little information apart from CVE IDs, affected products and severity. Google reported those five flaws to Samsung in December, and Mitre assigned them a high CVSS score of 7.6. However, the National Vulnerability Database assigned them a critical 9.8 CVSS.
Project Zero disclosed four of the chipset vulnerabilities -- CVE-2023-26072, CVE-2023-26073, CVE-2023-26074 and CVE-2023-26075 -- in the blog post Thursday, stating they did "not meet the high standard to be withheld from disclosure."
Samsung provided an update timeline in an email to TechTarget Editorial.
"After determining 6 vulnerabilities may potentially impact select Galaxy devices, of which none were 'severe,' Samsung released security patches for 5 of these in March. Another security patch will be released in April to address the remaining vulnerabilities," Samsung wrote. "As always, we recommend that all users keep their devices updated with the latest software to ensure the highest level of protection possible."
Arielle Waldman is a Boston-based reporter covering enterprise security news.