Google and Samsung Phones Have Severe Vulnerabilities
Google's Project Zero recently discovered two critical vulnerabilities that pose a significant threat to the security of Android phones manufactured by Google and Samsung. These vulnerabilities have been classified as "severe," indicating the urgent need for patching to mitigate the risks involved. Failure to do so could result in a serious security breach.
One of the identified vulnerabilities, and by far the most serious, impacts Exynos modems. The vulnerabilities consist of four weaknesses that can lead to significant issues with the Exynos hardware. Hackers can exploit these vulnerabilities remotely with only your phone number without the need for user interaction. Immediate patching is required to prevent potential exploits and compromise of your phone.
Numerous devices from Samsung, Vivo, and Google have been found to be vulnerable to serious zero-day vulnerabilities affecting Exynos chipsets. Among the affected devices are the Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series, the Vivo S16, S15, S6, X70, X60, and X30 series, and Google Pixel 6, 6 Pro, Pixel 6a, Pixel 7, and 7 Pro. Additionally, all wearables that utilize the Exynos W920 chipset and all vehicles that use the Exynos Auto T5123 chipset are also affected. A total of 18 zero-day vulnerabilities were discovered in Samsung's Exynos chipsets, with seven allowing for remote code execution. Immediate patching is required to mitigate these vulnerabilities.
Google has taken immediate action by releasing the March Pixel update to address these vulnerabilities. While the patch has been rolled out to the Pixel 7 Pro, some devices may still be waiting for the update. It's important for owners of affected devices to proactively check for and apply the patch as soon as it becomes available to ensure their device is protected.
How to check for updates on a Google Pixel device
Here are the steps to check for updates on a Pixel phone:
- Open the Settings app on your Pixel phone.
- Scroll down and select the System option.
- Tap System Update.
- If there is an update available, you'll see a notification. Tap Download and Install to start the update process.
It's important to note that some updates may take a while to download and install, so make sure your device has enough battery life and is connected to a Wi-Fi network before starting the update process.
To check for updates on Samsung phones, open the Settings app and look for either the Software or System Updates section. If the March 1, 2023 Security Patch is listed, it means that five out of the 18 vulnerabilities have been addressed (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076).
The remaining vulnerabilities have not yet passed the 90-day deadline or been assigned CVE-IDs. Samsung has also updated its advisories to remove the Exynos W920 SoC as an affected chip, along with the release of the March 1, 2023 update.
Related: Pinduoduo users are at risk
What to do if your phone hasn’t received the update yet
It's important to note that turning off VoLTE and Wi-Fi calling should only be done temporarily until your phone receives the necessary security patch. Once you've applied the update, it's safe to turn these features back on. Additionally, if you're not sure how to turn off these features or have any concerns about the security of your phone, it's always a good idea to contact your device manufacturer or carrier for guidance.
Markup tool vulnerability on Google Pixel devices
A severe vulnerability has been identified by Google's Project Zero that affects the Markup utility on Pixel phones, potentially enabling hackers to unredact and uncrop edited screenshots. For individuals who frequently take and share sensitive screenshots, this vulnerability should be treated seriously, as a hacker could exploit this vulnerability to uncover redacted information and use it for malicious purposes. It is essential to exercise caution while sharing sensitive information.
While sharing screenshots via services that compress and decompress images, such as Twitter, does not expose them to the vulnerability, it is still advised to exercise caution.
Thankfully, Google has addressed the issue with the March Security Update, ensuring that it is resolved for users who have applied the patch. However, users who took screenshots before the update may still be vulnerable. Therefore, it is advisable to delete any such screenshots (from both phone and cloud) containing sensitive information, whether redacted or not.
For those using Pixel or Samsung phones yet to receive patches, it is recommended that you check for updates daily and apply them as soon as possible.
“turning off VoLTE and Wi-Fi calling should only be done temporarily” what a load of bullcrap. Neither of those are of any use in most countries that have MODERN, nationwide cellphone networks. So this basically affects tech-wise backwood third world countries like Bangladesh and The United States of America.
@Zero Worries
Not everyone has a phone flatrate and a 10 GB dataplan. And some people sit in places with bad connectivity like cellars or valleys.
Where is good-old android 3G samsungs, when we needed them ?
@Fuzzi – too true. Whilst we have 1Mbps internet, our phone signal is variable, poor to crap. It’s also the case that garages / resturants / cafes / libraries / coffee shops etc in areas of NO phone coverage (Arizona desert to Scottish Highlands) have publically accessible internet.
@Zero Worries, perhaps your lack of understanding is reflected in your name.
1Gbps NOT 1 Mbps
for most in USA, the option to disable VoLTE has been removed from our phones. Even if still there, in most of the country this would render the phone with zero service, as 3G networks have been mostly retired. Which leaves the question: How to mitigate this until we receive a patch? If we forward our cell number to a land-line, that would cause our carrier to reroute the call away from our cell phone. Would that mitigate the vulnerability? I don’t know. Even with the number forwarded, SMS still arrive on the phone. Certainly some carrier admin communications as well. Would love to have an answer.
My J510FN model tells me the latest security updates are already installed and are dated June 2018. But its a Snapdragon 410 chipset not Exynos so in spite of its old age I guess it’s not vulnerable.