Google: turn off Wi-Fi Calling and VoLTE in Pixel/Samsung devices affected by major security issues
Several Samsung, Google Pixel and Vivo devices are affected by critical security issues that allow threat actors to remotely compromise affected devices without user interaction. People who own affected devices may disable Wi-Fi Calling and Voice-over-LTE to protect their devices from attacks.
Google's Project Zero team reported 27 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor to Samsung in late 2022 and early 2023. Google engineers rated four of the vulnerabilities as critical, as they allowed attackers to compromise devices remotely without user interaction.
Attackers require a device's phone number only to carry out attacks against these. Google suggests that "skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely".
Google decided to withheld information about the four critical security issues because of this. The remaining vulnerabilities, the 14 mentioned and 9 additional ones that do not have an assigned CVE yet, are not "as severe" according to Google, as they " require either a malicious mobile network operator or an attacker with local access to the device".
The affected devices
Samsung published a Product Security Update for March 2023, in which it lists the affected Exynos chipsets and products.
The following devices are affected by the vulnerabilities:
- Samsung mobile devices, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series.
- Google Pixel 6 and Google Pixel 7 series devices.
- Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series.
- Wearables that use the Exynos W920 chipset.
- Vehicles that use the Exynos Auto T5123 chipset.
Google notes that the vulnerabilities may not be exploited if users turn off Wi-Fi Calling and Voice-over-LTE on their devices.
Note: this is a temporary precaution to protect devices. Once manufacturers release updates, it is no longer necessary to disable these preferences. Also, some users may not be able to disable the options, depending on use.
This is done in the following way on most Samsung devices:
- Open the Settings app on the device.
- Select Connections > Mobile networks.
- Uncheck VoLTE calls there.
- Swipe down from the top to display the quick settings.
- Locate Wi-Fi calling there. You may need to swipe to the right to display the option.
Closing Words
Google notes that it has addressed one of the issues in the March 2023 Patch for its Pixel devices. There does not appear to be a timeline yet regarding the remaining vulnerabilities. Users of affected devices should pay attention to security update releases and install these as soon as possible to protect their devices against potential exploits.
I can’t tell how to determine if my phone is vulnerable. I’m in a chat with Samsung support right now, and I provided them a link to the semiconductor.samsung.com page. They reply that this isn’t the official samsung USA site, and don’t want to answer the direct question at all.
And this, children, is why it’s important to have a phone that gets Android security updates. Android is leaking like crazy and there are billions of unsecure phones in use because, MOSTLY, people don’t care. “Instagram works, why should I buy a new phone????” ….yeah, why should you… “I HAVE NOTHING TO HIDE” ….yeah, you don’t have anything to hide blaa blaaa… It’s all fun and games until someone loses an eye.
And it’s why manufacturers should be required to provide security patches for several years, rather than abandoning their purchasers.