Google Project Zero Exposed Vulnerabilities in Samsung Exynos Chips
Google Project Zero has discovered 18 vulnerabilities in mobile and auto chips made by Samsung Electronics and disclosed them earlier this week
According to Google, chips containing the security flaws can be found in 11 of Samsung’s Galaxy handsets. The chips also power some handsets from Vivo, as well as Google’s own Pixel 6 and Pixel 7 smartphone lines.
Google has opted to delay the release of technical information about four of the 18 vulnerabilities it revealed. Since, Google believe it pose a severe security risk to users.
The four security flaws could allow hackers to remotely compromise a vulnerable handset without requiring any action on the user’s part. This will result in a device breach even if the user doesn’t click on a malicious link or download malware.
Samsung, in its advisory that one of the four vulnerabilities, CVE-2023-24033, is a memory corruption flaw. This is a type of software bug that allows certain sections of a device’s memory, and the data they contain, to be overwritten. Threat actors can use such bugs to overwrite portions of a device’s data with malicious code.
The 14 other vulnerabilities Google uncovered are believed to be less severe and they can be exploited only if a device falls into the hands of hackers or connects to a malicious mobile network operator.
Security advisories are released by Samsung for five of the 14 vulnerabilities and three of the five vulnerabilities are heap buffer overflow flaws. The vulnerabilities affect several chips from Samsung Exynos line of mobile processors.
The processors feature a system-on-chip design that combines a central processing unit, a graphics card and other processing modules. Additionally, there’s a built-in modem for connecting to carrier networks.
Samsung also sells standalone modem chips that third-party handset makers can embed in their devices. Samsung also determined that hackers could target its Exynos Auto T5123 chip, a vehicle processor for facilitating 5G network access in cars.
Patches have not yet been released for all the devices affected by the vulnerabilities. As a workaround users can block the vulnerabilities by turning off Wi-Fi calling and voice-over-LTE in their device settings.
Google patched its Pixel devices earlier this year and Samsung is expected to release security updates for affected Galaxy devices further down the road