Project Zero, Google’s team dedicated to security research, has found some big problems in the Samsung modems that power devices like the Pixel 6, Pixel 7, and some models of the Galaxy S22 and A53. According to its blog post, a variety of Exynos modems have a series of vulnerabilities that could “allow an attacker to remotely compromise a phone at the baseband level with no user interaction” without needing much more than a victim’s phone number. And, frustratingly, it seems like Samsung is dragging its feet on fixing it.
The team also warns that experienced hackers could exploit the issue “with only limited additional research and development.” Google says the March security update for Pixels should patch the problem — though 9to5Google notes that it’s not available for the Pixel 6, 6 Pro, and 6a yet (we also checked on our own 6a and there was no update). The researchers say they believe the following devices may be at risk:
It is worth noting that, in order for devices to be vulnerable, they have to use one of the affected Samsung modems. For a lot of S22 owners, that could be a relief — the phones sold outside of Europe and some African countries have a Qualcomm processor and also use a Qualcomm modem, and thus should be safe from these specific issues. But phones with Exynos processors, like the popular midrange A53, and European S22, might be vulnerable.
In theory, the S21 and S23 are safe — Samsung’s most recent flagships use Qualcomm worldwide, and the older ones with Exynos chips use a modem that doesn’t appear on Samsung’s list of affected chips.
If you know your phone uses one of the vulnerable modems, and you’re concerned about it being exploited (remember, attacks could “compromise affected devices silently and remotely”), Project Zero says you can protect yourself by turning off Wi-Fi calling and Voice-over-LTE. Yes, your calls will be worse, but it’s probably worth it.
Traditionally, security researchers will wait until a fix is available before announcing that they’ve found the bug, or until it’s been a certain amount of time since they reported it without any fix in sight. It seems like it’s the latter case here — as TechCrunch notes, Project Zero researcher Maddie Stone tweeted that “end-users still don’t have patches 90 days after report,” which appears to be a prod at Samsung and other vendors that they need to deal with the issue.
Samsung didn’t immediately reply to The Verge’s request for comment on why there doesn’t appear to have been a patch yet.
In total, Project Zero found 18 vulnerabilities in the modems. Four are the really bad ones that allow “Internet-to-baseband remote code execution,” and Google says it’s not sharing additional information on those right now, in spite of its usual disclosure policy. (Again, due to the fact that it believes they could very easily be exploited.) The rest were more minor, requiring “either a malicious mobile network operator or an attacker with local access to the device.” To be clear, that’s still not great — we’ve seen how flimsy carrier security can be — but at least they’re not quite as bad as the others.