Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Google Security

Google Warns Users To Take Action To Protect Against Remotely Exploitable Flaws in Popular Android Phones (techcrunch.com) 55

Google's security research unit is sounding the alarm on a set of vulnerabilities it found in certain Samsung chips included in dozens of Android models, wearables and vehicles, fearing the flaws could be soon discovered and exploited. From a report: Google's Project Zero head Tim Willis said the in-house security researchers found and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung over the past few months, including four top-severity flaws that could compromise affected devices "silently and remotely" over the cellular network.

"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Willis said. By gaining the ability to remotely run code at a device's baseband level -- essentially the Exynos modems that convert cell signals to digital data -- an attacker would be able to gain near-unfettered access to the data flowing in and out of an affected device, including cellular calls, text messages, and cell data, without alerting the victim.
The list of affected devices includes (but is not limited to): Samsung mobile devices, including the S22, M and A series handsets; Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series; Google Pixel 6 and Pixel 7 series; and connected vehicles that use the Exynos Auto T5123 chipset.
This discussion has been archived. No new comments can be posted.

Google Warns Users To Take Action To Protect Against Remotely Exploitable Flaws in Popular Android Phones

Comments Filter:
  • S20+?
    different chip?

    • by hAckz0r ( 989977 )
      The Exynos 990 chipset is not listed as vulnerable. The 980 (older chipset?) is as well as newer chipsets are listed, which makes me wonder. The S20/+ had its own vulnerabilities patched back in 2020, so maybe that is the difference. I would still keep an eye out for new products being listed as more testing happens. There are still some vulnerabilities that have not been disclosed because the patches are still being worked on.
      • The Exynos 990 chipset is not listed as vulnerable.

        ... yet. Given Samsung's track record there'll be plenty of vulns in this one as well, security researchers just haven't got around to analysing it yet.

        That's not Samsung-bashing, just looking at their track record in vulns and assuming that the 990 will be no exception.

  • by Seven Spirals ( 4924941 ) on Friday March 17, 2023 @11:54AM (#63378359)
    Once the support expires you simply cannot update or upgrade the device at all. I'm still using an IBM Thinkpad x61s from 2007. It works great running the latest version of NetBSD or Linux. Modern browser, SSD, comfortable keyboard, etc... However, I have an Android tablet I bought in 2017 and it already won't let me update. However, the Google Play App store still let's me download apps not not update Android itself. I'm thinking that sounds like a good way to get pwned. It's a disposable business model and I'm a guy who still has his original C64 and Amiga 1200. I'm not digging "that thing is useless, throw it away."
    • The x61s was the best laptop ever! I wish I hadn't cracked the screen of mine.
    • by ebvwfbw ( 864834 )

      Android stuff is updated by the cellular provider. In my case that's Verizon. After a few years they don't care about it anymore. If you want to update it you can. You have to break in first. If you can do that then set yourself up an IDE, suck down all the stuff for that phone or tablet and then create your new image. Then load it. Poof, you're up to date again. Of course, you'll lose a lot of the stuff that came with the old build. After a while, Verizon should make all that stuff available to us so we ca

  • Oh, there is not one available ... Samsung only provides updates for a pitifully short amount of time. WTF am I supposed to do ? I do not care about new features but security fixes should be available to 10 years - not until the next model is out.

    Mobile 'phones are now an essential part of many people's lives, not a toy. They need to thus be treated seriously by the vendors. I can see many people having their 'phones exploited and thus suffering material loss - the vendors need some liability. If they do no

    • Re: (Score:3, Informative)

      by rgmoore ( 133276 )

      There may not be anything available for Samsung, but the patches for Google phones are already out. If you've installed the March update for your Pixel, you're already protected.

      • by Burdell ( 228580 )

        Or maybe you're not... the two affected Pixel generations are 6 and 7, and (with no published reason) the 6 hasn't gotten the March update.

    • They need to thus be treated seriously by the vendors.

      They are, they want you to buy one every two years.

    • Is your phone older than 2019?

    • the vendors need some liability

      Vendors provide you 3 years of security updates for a device that historically had an expected life of 2 years. You're going to struggle to convince the court that they need more.

      Even more so you have a bigger problem. Android has only a 4 year support period. The phones affected here don't even receive security updates from Google anymore so vendors really can't do anything to push non-existent security updates.

      But this is irrelevant. You're not going to do anything serious on an unsupported insecure phone

      • the vendors need some liability

        Vendors provide you 3 years of security updates

        Both Google and Samsung now pledge 5 years of security updates.

        • Both Google and Samsung now pledge 5 years of security updates.

          They can pledge all they want. They need to put their money where their mouth is. Samsung already provide all updates Google do, but Google is the holdout here. Less 2 weeks ago Android 10 was officially EOL'd for security updates less than 3 and a half years after release.

          Not that it matters because at this point if you're using Android 11 (which does get security updates) you won't actually be able to update apps due to the minimum target API level for the playstore for any app update being level 31 (Andr

          • It's not only a pledge. Samsung does provide these updates. It was 4 years for the Galaxy S10, released in 2019. This device is still receiving security updates. They since increase the duration to 5 years.

            • It's not only a pledge. Samsung does provide these updates. It was 4 years for the Galaxy S10, released in 2019.

              You missed my point. Samsung provides only what Google does. If Google doesn't release a security level patch then Samsung doesn't provide it. They can pledge all they want. Here's one 100% solid truthful pledge from me. I pledge to you right now I will gift you a Ferrari I receive from the factory in Italy. No questions asked. No obligations. I 100% stand by my word.

              However since I will not be receiving a Ferrari ... ever... I suggest you don't rely on me for your personal transport requirements.

              • It's not only a pledge. Samsung does provide these updates. It was 4 years for the Galaxy S10, released in 2019.

                You missed my point. Samsung provides only what Google does. If Google doesn't release a security level patch then Samsung doesn't provide it.

                I am not sure there can't be any security fix which would be specific to Samsung's code.
                But anyways, Google does release security updates. The problem is that many manufacturers stop applying them to old devices not sold anymore. Samsung was even ahead of Google itself, since the Galaxy S10 has 4 years of security updates while the Pixel 4 released later only had a pledge for 3 years. Nothing stops Google from pushing new security updates to the Pixel 4, thought, but I am not sure it does.

                Your point might b

      • So win-win. You don't need to worry about security because it's not like you'll be able to do your banking anymore.

        I do not feel safe enough to do banking on a device that is so easily lost, where I can be shoulder surfed, ... I know that it is convenient and that many do it. For me they are secure enough. I do e-banking from my Debian machine at home or Linux Mint laptop if travelling.

        • I'm genuinely curious. Do you think banking apps don't have security, or that someone looking over your shoulder knows how to scan your fingerprint?

          • I do not trust the device. I use it only as a telephone, SMS machine, take the occasional picture and tether my laptop to it when out & about. I have not installed any apps on it, I do not feel the need. I eschew social media.

            As for banking app security: there is, for instance, a great show of 2 factor authentication. When I login it sends a SMS with a one time PIN. That is good when I login from my PC. If I were to login from my 'phone then I would be logging in from the device that also receives the S

      • a device that historically had an expected life of 2 years.

        Citation very much needed.
        I don't think I've ever known anyone who changes phones that often. What for?

        • "expected life of 2 years"

          This was considered normal 15 years ago.

          Since then, most users have figured out that the new phones are less useful than the old ones due to things like frequent changes to the UI, and the definition of "USB" being interpreted as "Unpredictable Stupid Bollocks".

          • 15 years ago was before the first Android phone. The iPhone was a new thing.
            Are you telling me people got a new flip phone every 2 years?

          • "expected life of 2 years"

            This was considered normal 15 years ago.

            And that is my point. New desires don't play as well in court compared to historical contexts. You want to talk liability you need to convince a court that the vendor is doing something wrong, rather than you doing something wrong (such as wanting to keep your phone for longer than 2 years).

            By the way I'm right with you, but the reality is a liability for the vendor won't fly.

        • These are thousand-dollar Samsung phones. Like iPhones, they're a fashion statement that need to be replaced every year.

          Besides, how much support are you actually expecting to get when you've paid a thousand dollars for a telephone?

        • Citation very much needed.
          I don't think I've ever known anyone who changes phones that often. What for?

          Ahh your UID is low. Welcome kid, there's a world of history you don't know about. Like a history of such fast paced development that virtually everyone was lining up to replace their phones as soon as possible as technical development was progressing at an incredible pace, all enabled by virtually every wireless carrier offering phone plans that included a new phone not only every 2 years, but often allowed you to get a new phone "early" so you didn't do something crazy like explore if a competitor had a b

    • First, stop buying Samsung. There are lots of good reasons, this is only one of them.

      Second, do the research and make sure your next phone has an unlockable bootloader, which most of the good Samsungs don't.

      Third, that phone also has to sell enough units to be interesting to XDA-Devs after support ends. So also buy a popular phone.

      If your phone has an unlockable bootloader then you can probably install Pixel Experience on it, and get all the functionality and all the updates you expect.

  • by Gaglia ( 4311287 ) on Friday March 17, 2023 @11:59AM (#63378369)

    It is a VoLTE / WiFi calling vulnerability: https://googleprojectzero.blog... [blogspot.com]

    Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.

    • While technically correct (the best kind of correct)... I'm not sure "only" is the best adjective, since I believe wifi calling is enabled by all the major carriers - and used by default.

      • VoLTE and WiFI calling may be enabled by default on the provider's side, but I don't think phones have it enabled.

        It seems to be opt in, though this may vary based on multiple criteria.

      • by Gonoff ( 88518 )

        I believe wifi calling is enabled by all the major carriers - and used by default.

        Not generally in the real world. I have Vodafone and 3 on my phone (Vodafone is a "virtual" SIM or something). I think Vodafone offers it, so I have enabled it but I would only need it if I went out of range. That doesn't happen much here.

      • My S22 has a tile toggle, which I have kept to off since I found it really takes more battery, and I rarely find myself without reception in places where I do have WiFi access. I guess it's great when you're abroad, you can keep off roaming yet can be reached on your regular number via WiFi. And you use the second SIM slot with a local card for data and local calls.
  • by xwin ( 848234 ) on Friday March 17, 2023 @12:16PM (#63378419)
    It is a good thing that always I keep my phone in airplane mode. Most of the calls you get these days are scams and spam anyway. Email is good enough for communications.
  • by Pinky's Brain ( 1158667 ) on Friday March 17, 2023 @12:20PM (#63378433)

    Is Project Zero using glitching/FIB now to drill down into the firmware level running on separate processors, or was Samsung's firmware available unencrypted?

    • Hmmm ...
      https://hardwear.io/netherland... [hardwear.io]
      [quote]Previous researchers and papers mentioned that modem.bin is encrypted
      Apparently, Samsung opted out of this recently \_()_/ [/quote]

      Idiots ... for closed source, obscurity is defense in depth. Run from encrypted external or internal memory only, never leave unencrypted machine code in the open. Sure advanced adversaries can glitch/FIB their way to the code, but don't make it easy.

  • Doesn't say how. And if it does and I missed it so fuck yourself TechCrunch
    • by mcl630 ( 1839996 )

      TFA tells you exactly what action to take:

      Google said that patches will vary depending on the manufacturer, but noted that its Pixel devices are already patched with its March security updates.

      Until affected manufacturers push software updates to their customers, Google said users who wish to protect themselves can switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities.”

  • "and require only that the attacker know the victim's phone number" I have my pixel configured to screen all calls not recognized in my contact list, does this leave me less vulnerable I wonder.
  • We must make demands (Score:2, Interesting)

    by Anonymous Coward

    All unsupported systems must be automatically put into the public domain. Copyright/patents are a government privilege, which must be forfeited upon the "end of life" of hardware and software. And also, these kinds of defects are lawsuit worthy, we should be all over it and demand free exchange

  • Glad again my devices are not on stock OEM. They don't use those proprietary blobs for which the RCE's are applicable.

    For a year now, there's works on a FLOSS unprivileged userspace VoLTE implementation: https://twitter.com/phhusson/s... [twitter.com]

  • Only Exynos chipsets are affected. Not all S22 have Exynos.

The world will end in 5 minutes. Please log out.

Working...