Google's security research unit triggered alarms about a series of vulnerabilities detected in certain Samsung chips.
These vulnerabilities are also in some smart watch models such as those made by Samsung
itself
.
Google's internal team called
Project Zero
is dedicated to tracking zero-day vulnerabilities -which are those that have just been discovered- in devices and software, especially
mobile-related.
In a blog post,
Tim Willis
, the head of Project Zero, explained that security researchers have found up to 18 vulnerabilities in
Exynos processors
made by Samsung in recent months.
Another researcher from the same research group, Maddie Stone, has written on her Twitter account that Samsung had
90 days
to patch these security flaws, but she is surprised that it hasn't done so yet.
End-users still don't have patches 90 days after report.... https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
Among the errors detected, four are of the highest severity, since they could silently and remotely compromise the affected devices.
affect.
above all, to
processors
, browsers and open source libraries used by these devices.
"Testing by Project Zero confirms that these four vulnerabilities allow an attacker to compromise a phone remotely and without user interaction. They only require the attacker to know the victim's phone number," Willis explained.
The security breach, according to experts, is
more worrisome
than expected.
Above all, because there is no need for the user to carry out any interaction to initiate the attack.
Exynos processors convert the signals that a device emits into digital data, so if an intruder has access to it, they can obtain all the data that enters and leaves this terminal, including calls, messages or files, without raising a single eye. only suspicion in the victim.
For this reason, the Google security team recommends, until there is a solution, turn off voice services over
WiFi and LTE.
The phones that are at risk
Some A-series models are in danger.
"In the meantime, users with affected devices can protect themselves from remote code execution vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings," they explain.
The Samsung devices that could be at risk are: the
Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
series .
It is standard practice for Project Zero to disclose how vulnerabilities work 90 days after reporting them to affected vendors.
In this case, however, they still don't explain the four key flaws that allow remote code to be run.
The American tech giant has flagged this risk to the public, stating that expert attackers are able to quickly exploit these bugs to their advantage.
Samsung confirmed in a March 2023 security listing that several Exynos chips are vulnerable and that this would affect several Android device makers, but provided few other details.
SL
look also
Netflix: how to know who logged in with your account
A company appointed an artificial intelligence CEO and the first results are surprising