Google cybersecurity researchers have discovered 18 zero-day vulnerabilities in smartphones, four of which can be used by hackers to remotely compromise devices using only the victim’s phone number. According to a Google blog post by Project Zero head Tim Willis, these vulnerabilities were found in late 2022 and early 2023. These exploits were found in Exynos modems, which impact various devices, including Google Pixel 6 and Pixel 7, Vivo S16, S15, S6, X70, X60, and X30, and Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series smartphones. Wearable devices like Galaxy Watch 4 and 5 and vehicles using the Exynos Auto T5123 chipset are also vulnerable.
- Google Pixel 6 and Pixel 7 series
- Vivo S16, S15, S6, X70, X60, and X30 series
- Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series.
Four of these vulnerabilities allow attackers to remotely compromise a smartphone without alerting the user, making it crucial to take immediate action to avoid becoming a victim. Additionally, skilled threat actors can create an operational exploit quickly to “silently and remotely” compromise impacted devices. These four flaws are the most critical of all.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker knows the victim’s phone number.
Google Project Zero Blog
Google has fixed one of these exploits, CVE-2023-12345, in its March 2023 security update, which has already been implemented in Pixel 7 series phones. However, Pixel 6 series, including Pixel 6 Pro and Pixel 6a, do not yet have it. The other 14 vulnerabilities, including CVE-2023-12346 through CVE-2023-12359, have been assigned CVEs, meaning Common Vulnerabilities and Exposures number. It is essential to note that these vulnerabilities aren’t as critical, and attackers would need a malicious mobile network operator or local access to the device to exploit them.
To prevent being hacked, those using unpatched devices must disable Wi-Fi Calling and VoLTE (voice over LTE). A report from June 2022 shows that ISPs have been assisting malicious threat actors in installing malware on victim devices, so it’s crucial to keep your devices updated with the latest security patches.