The Google Project Zero team, which specializes in discovering security vulnerabilities, has discovered 18 zero-day vulnerabilities in Exynos chips used in mobile devices, wearables, and cars made by Samsung. The security vulnerabilities were reported between the end of 2022 and the beginning of 2023. Four of the zero-day vulnerabilities were identified as the most severe.
Zero-day vulnerabilities allow attackers to remotely hack into affected devices without any user interaction. According to Tim Willis, head of Project Zero, the attack only requires access to the victim’s phone number. Hackers can easily access the affected devices remotely after a simple search.
The affected devices using Exynos chips include:
- Samsung series: S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04.
- Vivo series: S16, S15, S6, X70, X60, and X30 series.
- Google: Pixel 6 and Pixel 7.
- Smartwatches using Exynos W920 chips.
- Cars using Exynos Auto T5123 chips.
Although Samsung has already provided security updates to address the four high-risk vulnerabilities for other partners, each manufacturing company has a different timeline for sending updates. For example, Google has already fixed a number of the mentioned vulnerabilities in its March 2023 security updates for the Pixel series.
It should be noted that 14 vulnerabilities have not yet been addressed, and although they are not highly critical, users can protect themselves from them by disabling Wi-Fi and Voice-over-LTE (VoLTE) network connectivity features to prevent attacks.
As always, we recommend updating your devices as soon as possible when new updates arrive and ensuring that you are running the latest versions that address all disclosed and undisclosed security vulnerabilities.
