Google tells customers of some Android telephones: Nuke voice calling to keep away from an infection

Google is urging homeowners of sure Android telephones to take pressing motion to guard themselves from vital vulnerabilities that give expert hackers the power to surreptitiously compromise their units by making a specifically crafted name to their quantity.  It’s not clear if all actions urged are even attainable, nonetheless, and even when they’re, the measures will neuter units of most voice-calling capabilities.

The vulnerability impacts Android units that use the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos Auto T5123 chipsets made by Samsung’s semiconductor division. Susceptible units embody the Pixel 6 and seven, worldwide variations of the Samsung Galaxy S22, varied mid-range Samsung telephones, the Galaxy Watch 4 and 5, and vehicles with the Exynos Auto T5123 chip. These units are ONLY susceptible in the event that they run the Exynos chipset, which incorporates the baseband that processes alerts for voice calls. The US model of the Galaxy S22 runs a Qualcomm Snapdragon chip.

A bug tracked as CVE-2023-24033 and three others which have but to obtain a CVE designation make it attainable for hackers to execute malicious code, Google’s Undertaking Zero vulnerability workforce reported on Thursday. Code-execution bugs within the baseband could be particularly vital as a result of the chips are endowed with root-level system privileges to make sure voice calls work reliably.

“Exams performed by Undertaking Zero verify that these 4 vulnerabilities permit an attacker to remotely compromise a cellphone on the baseband degree with no person interplay, and require solely that the attacker know the sufferer’s cellphone quantity,” Undertaking Zero’s Tim Willis wrote. “With restricted extra analysis and improvement, we imagine that expert attackers would be capable to shortly create an operational exploit to compromise affected units silently and remotely.”

Earlier this month, Google launched a patch for susceptible Pixel 7 fashions, however fixes for Pixel 6 fashions have but to be delivered to many, if not all, customers (the Undertaking Zero publish incorrectly states in any other case). Samsung has launched an replace patching CVE-2023-24033, but it surely has not but been delivered to finish customers. There’s no indication Samsung has issued patches for the opposite three vital vulnerabilities. Till susceptible units are patched, they continue to be susceptible to assaults that give entry on the deepest degree attainable.

The risk prompted Willis to place this recommendation on the very prime of Thursday’s publish:

Till safety updates can be found, customers who want to shield themselves from the baseband distant code execution vulnerabilities in Samsung’s Exynos chipsets can flip off Wi-Fi calling and Voice-over-LTE (VoLTE) of their gadget settings. Turning off these settings will take away the exploitation danger of those vulnerabilities.

The issue is, it’s not totally clear that it’s attainable to show off VoLTE, a minimum of on many fashions. A screenshot one S22 person posted to Reddit final yr exhibits that the choice to show off VoLTE is grayed out. Whereas that person’s S22 was operating a Snapdragon chip, the expertise for customers of Exynos-based telephones is probably going the identical.

And even whether it is attainable to show off VoLTE, doing so along with turning off Wi-Fi turns telephones into little greater than tiny tablets operating Android. VoLTE got here into widespread use just a few years in the past, and since then most carriers in North America have stopped supporting older 3G and 2G frequencies.

Samsung representatives stated in an e-mail that the corporate in March launched safety patches for 5 of six vulnerabilities that “could doubtlessly affect choose Galaxy units” and can patch the sixth flaw subsequent month. The e-mail didn’t reply questions asking if any of the patches can be found to finish customers now or whether or not it’s attainable to show off VoLTE. The e-mail additionally did not clarify that patches have but to be delivered to finish customers.

A Google consultant, in the meantime, declined to supply the particular steps for finishing up the recommendation within the Undertaking Zero writeup. Meaning Pixel 6 customers don’t have any actionable mitigation steps whereas they wait an up to date for his or her units. Readers who determine a method are invited to clarify the method (with screenshots, if attainable) within the feedback part.

Due to the severity of the bugs and the convenience of exploitation by expert hackers, Thursday’s publish omitted technical particulars. In its product safety replace web page, Samsung described CVE-2023-24033 as a “reminiscence corruption when processing SDP attribute accept-type.”

“The baseband software program doesn’t correctly test the format varieties of accept-type attribute specified by the SDP, which might result in a denial of service or code execution in Samsung Baseband Modem,” the advisory added. “Customers can disable WiFi calling and VoLTE to mitigate the affect of this vulnerability.”

Brief for the Session Description Protocol, SDP is a mechanism for establishing a multimedia session between two entities. Its most important use is supporting streaming VoIP calls and video conferencing. SDP makes use of a supply/reply mannequin through which one celebration advertises an outline of a session and the opposite celebration solutions with the specified parameters.

The risk is severe, however as soon as once more, it applies solely to individuals utilizing an Exynos model of one of many affected fashions.

Till Samsung or Google says extra, customers of units that stay susceptible ought to (1) set up all obtainable safety updates with a detailed eye out for one patching CVE-2023-24033, (2) flip off Wi-Fi calling, and (3) discover the settings menu of their particular mannequin to see if it’s attainable to show off VoLTE. This publish will probably be up to date if both firm responds with extra helpful data.

Submit up to date to appropriate the definition of SDP.