The Project Zero team at Google have recently published a new blog about a series of vulnerabilities they have discovered with the Exynos chipset in Samsung devices that have been produced between Late 2022 and early 2023.
CVE-2023-24033 and 3 other yet to be named zero day exploits discovered by google could enable attackers to perform internet-to-baseband remote code execution. The 14 other exploits have been classified as less risky as they require either a malicious mobile network operator or an attacker with local access to the device to perform remote code execution.
The following devices are affected:
· Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series.
· Vivo S16, S15, S6, X70, X60 and X30 series.
· The Pixel 6 and Pixel 7 series.
· Any vehicles that use the Exynos Auto T5123 chipset
Google has patched their pixel devices however they remind users that it is the responsibility of the individual phone manufacturer to release security patches for their devices. If your manufacturer still has yet to release a patch, Google has recommended to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to protect yourself from remote code execution exploits like CVE-2023-24033.
In addition, once available, users should update their devices to the latest version as soon as possible and turn on automatic updates so that your device can update while not in use. To learn more about updating devices you can read the NCSC’s article on Keeping devices and software up to date - NCSC.GOV.UK