Google Project Zero team finds critical security flaw in Samsung modems

Multiple security vulnerabilities in smartphone modems made by Samsung, under its Exynos chip line, gave way to baseband remote code execution (RCE) abilities for hackers. This flaw, according to reporting by Google’s Project Zero threat detection team, could enable hackers to remotely gain access to a vulnerable device without any intervention from the user itself. Of a total of 18 flaws found by Google’s Project Zero team, four are critical in nature.

The flaw in question occurs due to the firmware of a select number of Samsung Exynos modems failing to conduct a software check that would validate how certain applications are allowed access to crucial information in a device. Getting full access, which in cyber security parlance is called ‘privilege escalation’, occurs when the firmware of a device fails to keep out applications from the crucial areas of a memory chip, which store critical user information such as passwords and location data.

The flaws discovered by Project Zero enable remote code execution on the baseband modem, giving hackers sitting at a remote location full access to the highest privilege level for all data and settings of a device, which in turn can pose a critical security threat. The issues affect a wide range of devices, including smartphones, wearables and car platforms.

Some of the most popular devices that could be affected in India as a result of the vulnerabilities include last year’s flagship, Samsung Galaxy S22, Galaxy A53 mid-premium range smartphone, old flagship Vivo X70 series, and the latest generation Google Pixel 7 smartphones. Other devices that are at risk include smartwatches and fitness bands that use Exynos W920, and cars with Exynos Auto T5123 onboard. The W920, to be sure, is Samsung’s latest generation wearable chip that powers the Galaxy Watch 5 series of smartwatches.

According to a report by Bleeping Computer, Google has already released a patch for one of the four critical flaws as part of its March security update for the Pixel 7 smartphone. However, reports claim that not all users are likely to have received the update already, and the same may be rolling out as staggered updates.

Tim Willis, head of Project Zero, added that the firm is refraining from publishing full details of the critical flaws, as a result of “a very rare combination” of factors that make the flaw highly critical.