Google security analysts have warned Android device users that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack and remote-control their handsets knowing just the phone number.
Between late 2022 and early this year, Google's Project Zero found and reported 18 of these bugs in Samsung's Exynos cellular modem firmware, according to Tim Willis, who heads the bug-hunting team. Four of the 18 zero-day flaws can allow internet-to-baseband remote code execution. The baseband, or modem, portion of a device typically has privileged low-level access to all the hardware, and so exploiting bugs within its code can give an intruder full control over the phone or device. Technical details of these holes have been withheld for now to protect users of vulnerable gear.
"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Willis wrote in a breakdown of the security flaws.
Skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely
"With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely," he added.
One of these four severe bugs has been assigned a CVE number, and it's tracked as CVE-2023-24033. The other three are awaiting bug IDs.
The other 14 issues aren't as severe and require "either a malicious mobile network operator or an attacker w ..
Support the originator by clicking the read the rest link below.
