As bugs go, it doesn’t get any worse than this: A newly found vulnerability in Samsung’s Exynos modems allows hackers to take over phones without any intervention from the phone’s owners.
Google Project Zero found a total of 18 zero-day vulnerabilities in Samsung’s Exynos modems in late 2022 and early 2023. Four of those allow the hackers to remotely compromise the users’s phone, and only require that they know the victim’s phone number. Google claims that skilled attackers might be able to “quickly create an operational exploit to compromise affected devices silently and remotely.”
Hackers threaten to leak Amazon Ring data after claiming responsibility for ransomware attack
The list of phones that are vulnerable is quite long: Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series, Google Pixel 6 and Pixel 7 series, and Vivo S16, S15, S6, X70, X60 and X30 series.
Additionally, any wearables that use the Exynos W20 chipset (these include the Pixel Watch 4 and 5, for example), and any vehicles that use the Exynos Auto T5123 chipset are vulnerable too.
The silver lining for Samsung Galaxy S22 owners is that phones from that series that are sold in the U.S. have a Qualcomm chipset instead of Samsung’s Exynos chipset, and are therefore not vulnerable. Galaxy S22 owners in Europe aren’t so lucky. Also, Google fixed the vulnerability on Pixel 7 phones with its March 2023 security patch, though 9to5Google notes that the Pixel 6, Pixel 6 Pro, and Pixel 6a are still vulnerable.
Fortunately, there is a way for users to temporarily remedy the issue by turning off Wi-Fi calling and Voice-over-LTE in their device’s settings. This might result in slightly lower voice call quality, but it at least means your phone is safe until an official patch is available.