Google Warns Users To Take Action To Protect Against Remotely Exploitable Flaws in Popular Android Phones (techcrunch.com) 55
Google's security research unit is sounding the alarm on a set of vulnerabilities it found in certain Samsung chips included in dozens of Android models, wearables and vehicles, fearing the flaws could be soon discovered and exploited. From a report: Google's Project Zero head Tim Willis said the in-house security researchers found and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung over the past few months, including four top-severity flaws that could compromise affected devices "silently and remotely" over the cellular network.
"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Willis said. By gaining the ability to remotely run code at a device's baseband level -- essentially the Exynos modems that convert cell signals to digital data -- an attacker would be able to gain near-unfettered access to the data flowing in and out of an affected device, including cellular calls, text messages, and cell data, without alerting the victim. The list of affected devices includes (but is not limited to): Samsung mobile devices, including the S22, M and A series handsets; Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series; Google Pixel 6 and Pixel 7 series; and connected vehicles that use the Exynos Auto T5123 chipset.
"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Willis said. By gaining the ability to remotely run code at a device's baseband level -- essentially the Exynos modems that convert cell signals to digital data -- an attacker would be able to gain near-unfettered access to the data flowing in and out of an affected device, including cellular calls, text messages, and cell data, without alerting the victim. The list of affected devices includes (but is not limited to): Samsung mobile devices, including the S22, M and A series handsets; Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series; Google Pixel 6 and Pixel 7 series; and connected vehicles that use the Exynos Auto T5123 chipset.
So I'm fine? (Score:1)
S20+?
different chip?
Re: (Score:2)
> Glorious iPhone Master Race
Dude, please - the preferred term is 'Mensheviks', in the parlance of our time.
Re: (Score:3)
Re: (Score:2)
The Exynos 990 chipset is not listed as vulnerable.
... yet. Given Samsung's track record there'll be plenty of vulns in this one as well, security researchers just haven't got around to analysing it yet.
That's not Samsung-bashing, just looking at their track record in vulns and assuming that the 990 will be no exception.
Re: (Score:2)
Oh wait it’s Android. Throw it away and buy a new one because you aren't getting jack shit.
But be very careful when replacing it or that could be exactly what you get with a nice new iShinyShiny
Good reason not to buy Android & IOS based tab (Score:3, Insightful)
Re: (Score:2)
Re: (Score:1)
Android stuff is updated by the cellular provider. In my case that's Verizon. After a few years they don't care about it anymore. If you want to update it you can. You have to break in first. If you can do that then set yourself up an IDE, suck down all the stuff for that phone or tablet and then create your new image. Then load it. Poof, you're up to date again. Of course, you'll lose a lot of the stuff that came with the old build. After a while, Verizon should make all that stuff available to us so we ca
So I'll just download an update ... (Score:2)
Oh, there is not one available ... Samsung only provides updates for a pitifully short amount of time. WTF am I supposed to do ? I do not care about new features but security fixes should be available to 10 years - not until the next model is out.
Mobile 'phones are now an essential part of many people's lives, not a toy. They need to thus be treated seriously by the vendors. I can see many people having their 'phones exploited and thus suffering material loss - the vendors need some liability. If they do no
Re: (Score:3)
Samsung provides security updates for 5 years starting with S21, and I think it was 4 years starting with S10.
It compares to Pixels: 5 years since Pixel 6, and 3 years since Pixel 4.
Re: (Score:1)
Providing updates for 5 years is a bit different from providing timely updates.
When I had a Samsung, I generally got updates 6 months to a year after Google updated the Pixel. I will never buy another Samsung again.
Re: (Score:2)
That may have been your carrier. But I admit that I don't track that stuff. I just don't enable internet access on my phone. Or use it for financial transactions. To me, it's a bloody PHONE!!.
Re: (Score:2)
Don't confuse major OS updates with security updates. Major OS updates don't matter that much since at least 5 years since Android is pretty much feature complete and I don't care about new features anyways. Same thing for Windows, I don't care if I get the update 6 months late.
Re: (Score:3, Informative)
There may not be anything available for Samsung, but the patches for Google phones are already out. If you've installed the March update for your Pixel, you're already protected.
Re: (Score:2)
Or maybe you're not... the two affected Pixel generations are 6 and 7, and (with no published reason) the 6 hasn't gotten the March update.
Re: (Score:2)
They need to thus be treated seriously by the vendors.
They are, they want you to buy one every two years.
Re: (Score:2)
Is your phone older than 2019?
Re: (Score:2)
Yes
Re: (Score:2)
Then yes, I'm afraid you won't get that update. I think it only affects phones with Exynos modems though, so you should double-check that first.
Re: (Score:1)
the vendors need some liability
Vendors provide you 3 years of security updates for a device that historically had an expected life of 2 years. You're going to struggle to convince the court that they need more.
Even more so you have a bigger problem. Android has only a 4 year support period. The phones affected here don't even receive security updates from Google anymore so vendors really can't do anything to push non-existent security updates.
But this is irrelevant. You're not going to do anything serious on an unsupported insecure phone
Re: (Score:3)
the vendors need some liability
Vendors provide you 3 years of security updates
Both Google and Samsung now pledge 5 years of security updates.
Re: (Score:1)
Both Google and Samsung now pledge 5 years of security updates.
They can pledge all they want. They need to put their money where their mouth is. Samsung already provide all updates Google do, but Google is the holdout here. Less 2 weeks ago Android 10 was officially EOL'd for security updates less than 3 and a half years after release.
Not that it matters because at this point if you're using Android 11 (which does get security updates) you won't actually be able to update apps due to the minimum target API level for the playstore for any app update being level 31 (Andr
Re: (Score:2)
It's not only a pledge. Samsung does provide these updates. It was 4 years for the Galaxy S10, released in 2019. This device is still receiving security updates. They since increase the duration to 5 years.
Re: (Score:2)
It's not only a pledge. Samsung does provide these updates. It was 4 years for the Galaxy S10, released in 2019.
You missed my point. Samsung provides only what Google does. If Google doesn't release a security level patch then Samsung doesn't provide it. They can pledge all they want. Here's one 100% solid truthful pledge from me. I pledge to you right now I will gift you a Ferrari I receive from the factory in Italy. No questions asked. No obligations. I 100% stand by my word.
However since I will not be receiving a Ferrari ... ever... I suggest you don't rely on me for your personal transport requirements.
Re: (Score:2)
It's not only a pledge. Samsung does provide these updates. It was 4 years for the Galaxy S10, released in 2019.
You missed my point. Samsung provides only what Google does. If Google doesn't release a security level patch then Samsung doesn't provide it.
I am not sure there can't be any security fix which would be specific to Samsung's code.
But anyways, Google does release security updates. The problem is that many manufacturers stop applying them to old devices not sold anymore. Samsung was even ahead of Google itself, since the Galaxy S10 has 4 years of security updates while the Pixel 4 released later only had a pledge for 3 years. Nothing stops Google from pushing new security updates to the Pixel 4, thought, but I am not sure it does.
Your point might b
Re: (Score:2)
So win-win. You don't need to worry about security because it's not like you'll be able to do your banking anymore.
I do not feel safe enough to do banking on a device that is so easily lost, where I can be shoulder surfed, ... I know that it is convenient and that many do it. For me they are secure enough. I do e-banking from my Debian machine at home or Linux Mint laptop if travelling.
Re: (Score:2)
I'm genuinely curious. Do you think banking apps don't have security, or that someone looking over your shoulder knows how to scan your fingerprint?
Re: (Score:2)
I do not trust the device. I use it only as a telephone, SMS machine, take the occasional picture and tether my laptop to it when out & about. I have not installed any apps on it, I do not feel the need. I eschew social media.
As for banking app security: there is, for instance, a great show of 2 factor authentication. When I login it sends a SMS with a one time PIN. That is good when I login from my PC. If I were to login from my 'phone then I would be logging in from the device that also receives the S
Re: (Score:2)
a device that historically had an expected life of 2 years.
Citation very much needed.
I don't think I've ever known anyone who changes phones that often. What for?
Re: (Score:2)
This was considered normal 15 years ago.
Since then, most users have figured out that the new phones are less useful than the old ones due to things like frequent changes to the UI, and the definition of "USB" being interpreted as "Unpredictable Stupid Bollocks".
Re: (Score:2)
15 years ago was before the first Android phone. The iPhone was a new thing.
Are you telling me people got a new flip phone every 2 years?
Re: (Score:2)
"expected life of 2 years"
This was considered normal 15 years ago.
And that is my point. New desires don't play as well in court compared to historical contexts. You want to talk liability you need to convince a court that the vendor is doing something wrong, rather than you doing something wrong (such as wanting to keep your phone for longer than 2 years).
By the way I'm right with you, but the reality is a liability for the vendor won't fly.
Re: (Score:2)
These are thousand-dollar Samsung phones. Like iPhones, they're a fashion statement that need to be replaced every year.
Besides, how much support are you actually expecting to get when you've paid a thousand dollars for a telephone?
Re: (Score:2)
Citation very much needed.
I don't think I've ever known anyone who changes phones that often. What for?
Ahh your UID is low. Welcome kid, there's a world of history you don't know about. Like a history of such fast paced development that virtually everyone was lining up to replace their phones as soon as possible as technical development was progressing at an incredible pace, all enabled by virtually every wireless carrier offering phone plans that included a new phone not only every 2 years, but often allowed you to get a new phone "early" so you didn't do something crazy like explore if a competitor had a b
Re: (Score:2)
First, stop buying Samsung. There are lots of good reasons, this is only one of them.
Second, do the research and make sure your next phone has an unlockable bootloader, which most of the good Samsungs don't.
Third, that phone also has to sell enough units to be interesting to XDA-Devs after support ends. So also buy a popular phone.
If your phone has an unlockable bootloader then you can probably install Pixel Experience on it, and get all the functionality and all the updates you expect.
Only affects VoLTE and WiFI Call (Score:5, Informative)
It is a VoLTE / WiFi calling vulnerability: https://googleprojectzero.blog... [blogspot.com]
Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.
Re: (Score:3)
While technically correct (the best kind of correct)... I'm not sure "only" is the best adjective, since I believe wifi calling is enabled by all the major carriers - and used by default.
Re: (Score:2)
VoLTE and WiFI calling may be enabled by default on the provider's side, but I don't think phones have it enabled.
It seems to be opt in, though this may vary based on multiple criteria.
Re: (Score:2)
Re: (Score:2)
I believe wifi calling is enabled by all the major carriers - and used by default.
Not generally in the real world. I have Vodafone and 3 on my phone (Vodafone is a "virtual" SIM or something). I think Vodafone offers it, so I have enabled it but I would only need it if I went out of range. That doesn't happen much here.
Re: (Score:2)
Aiplane mode FTW (Score:4, Funny)
How did they get access to firmware? (Score:4, Insightful)
Is Project Zero using glitching/FIB now to drill down into the firmware level running on separate processors, or was Samsung's firmware available unencrypted?
Re: (Score:3)
Hmmm ...
https://hardwear.io/netherland... [hardwear.io]
[quote]Previous researchers and papers mentioned that modem.bin is encrypted
Apparently, Samsung opted out of this recently \_()_/ [/quote]
Idiots ... for closed source, obscurity is defense in depth. Run from encrypted external or internal memory only, never leave unencrypted machine code in the open. Sure advanced adversaries can glitch/FIB their way to the code, but don't make it easy.
Take action! (Score:1)
Re: (Score:2)
TFA tells you exactly what action to take:
Google said that patches will vary depending on the manufacturer, but noted that its Pixel devices are already patched with its March security updates.
Until affected manufacturers push software updates to their customers, Google said users who wish to protect themselves can switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities.”
Re: (Score:2)
call screening ftw? (Score:2)
We must make demands (Score:2, Interesting)
All unsupported systems must be automatically put into the public domain. Copyright/patents are a government privilege, which must be forfeited upon the "end of life" of hardware and software. And also, these kinds of defects are lawsuit worthy, we should be all over it and demand free exchange
No VoLTE, not vulnerable (Score:2)
Glad again my devices are not on stock OEM. They don't use those proprietary blobs for which the RCE's are applicable.
For a year now, there's works on a FLOSS unprivileged userspace VoLTE implementation: https://twitter.com/phhusson/s... [twitter.com]
Snapdragon Chipset Not Affected (Score:2)