Google Discovers Samsung Modem Vulnerabilities on Pixel 6 and 7, Galaxy S22, and More

Google is warning users of select Pixel, Galaxy, and Vivo phones that it discovered several 0-day vulnerabilities in Samsung Exynos modems used in these devices. According to Google’s Project Zero team, four of these vulnerabilities are putting users directly at risk unless they turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings.

“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely, Google’s Project Zero team explained.

The list of affected devices affected by these Samsung Exynos vulnerabilities includes the Google Pixel 6 and 7, various Samsung Galaxy devices including the S22, A71, and A53, other mobile devices from Vivo, as well as vehicles that use Samsunt’s Exynos Auto T5123 chipset. Google has already patched the vulnerabilities on its Pixel devices with the March 2023 security update, but other devices remain unprotected.

As noted by Techcrunch, Samsung acknowledged in a March 2023 product security update that several of its Exynos modems had security vulnerabilities, but the company didn’t go into details. And according to Maddie Stone, a security researcher in Google’s Project Zero team, Samsung has yet to release security patches 90 days after the initial report.

If you own a Pixel 6 or Pixel 7, you should make sure to install the latest security update as soon as possible. If you own one of the other affected devices, it’s highly recommended to disable Voice over LTE and WiFi calling on your phone before a security patch is available.