Baseband-level infection — Google tells users of some Android phones: Nuke voice calling to avoid infection If your device runs Exynos chips, be very, very concerned.
Dan Goodin – Mar 17, 2023 8:26 pm UTC Enlarge / Images of the Samsung Galaxy S21, which runs with an Exynos chipset.Samsung reader comments 112 with Share this story Share on Facebook Share on Twitter Share on Reddit
Google is urging owners of certain Android phones to take urgent action to protect themselves from critical vulnerabilities that give skilled hackers the ability to surreptitiously compromise their devices by making a specially crafted call to their number. Its not clear if all actions urged are even possible, however, and even if they are, the measures will neuter devices of most voice-calling capabilities.
The vulnerability affects Android devices that use the Exynos chipset made by Samsungs semiconductor division. Vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are ONLY vulnerable if they run the Exynos chipset, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs a Qualcomm Snapdragon chip.
A bug tracked as CVE-2023-24033 and three others that have yet to receive a CVE designation make it possible for hackers to execute malicious code, Googles Project Zero vulnerability team reported on Thursday. Code-execution bugs in the baseband can be especially critical because the chips are endowed with root-level system privileges to ensure voice calls work reliably.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number, Project Zeros Tim Willis wrote. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely. Advertisement
Earlier this month, Google released a patch for vulnerable Pixel models. Samsung has released an update patching CVE-2023-24033, but it has not yet been delivered to end users. Theres no indication Samsung has issued patches for the other three critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that give access at the deepest level possible.
The threat prompted Willis to put this advice at the very top of Thursdays post:
Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsungs Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.
The problem is, its not entirely clear that its possible to turn off VoLTE, at least on many models. A screenshot one S22 user posted to Reddit last year shows that the option to turn off VoLTE is grayed out. While that users S22 was running a Snapdragon chip, the experience for users of Exynos-based phones is likely the same.
And even if it is possible to turn off VoLTE, doing so in conjunction with turning off Wi-Fi may turn phones into little more than tiny tablets running Android. VoLTE came into widespread use a few years ago, and since then most carriers in North America have stopped supporting older 3G and 2G frequencies.
Samsung representatives said in an email that the company in March released security patches for five of six vulnerabilities that may potentially impact select Galaxy devices and will patch the sixth flaw next month. The email didnt answer questions asking if any of the patches are available to end users now or whether its possible to turn off VoLTE. Advertisement
A Google representative, meanwhile, declined to provide the specific steps for carrying out the advice in the Project Zero writeup. Readers who figure out a way are invited to explain the process (with screenshots, if possible) in the comments section.
Because of the severity of the bugs and the ease of exploitation by skilled hackers, Thursdays post omitted technical details. In its product security update page, Samsung described CVE-2023-24033 as a memory corruption when processing SDP attribute accept-type.
The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem, the advisory added. Users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.
Short for the Service Discovery Protocol layer, SDP allows for the discovery of services available from other devices over Bluetooth. Besides discovery, SDP allows applications to determine the technical characteristics of those services. SDP uses a request/response model for devices to communicate.
The threat is serious, but once again, it applies only to people using an Exynos version of one of the affected models. And once again, Google issued a patch earlier this month for Pixel users.
Until Samsung or Google says more, users of devices that remain vulnerable should (1) install all available security updates with a close eye out for one patching CVE-2023-24033, (2) turn off Wi-Fi calling, and (3) explore the settings menu of their specific model to see if its possible to turn off VoLTE. This post will be updated if either company responds with more useful information. reader comments 112 with Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email [email protected] Advertisement Promoted Comments Ruziel A cursory search indicates that the patch for Pixel 6 versions won’t be available until 3/20. 😡 March 17, 2023 at 8:42 pm danm628 There is zero chance to get anyone on record talking about it. You have to sign a stack of NDAs taller than I am just to see the table of contents of any baseband firmware implementation from any OEM. That stuff is guarded more jealously than a dragon guards its hoard.
No chance of any kind of Ars feature on it, unless someone comes to us willing to risk massive civil penalties to leak docs.
Security through obscurity, eh? Winning strategy.
It’s not for security. It’s to protect IP. A lot of the "secret sauce" that maks chipset A better than chipset B is controlled via the firmware. These are things that are required for operation but are not part of the 3GPP standards. Most of the FW implements the standard and really isn’t that secret. There are some semi-open source implementations of LTE available. But the portion of the FW that controls the hardware in the chipset is very secret because it can tell the competition how the chipset is implemented.
Exactly how do you schedule the IQ imbalance correction and the DC tone suppression? How accurate is the control of those things? How do you handle suppression of adjacent tones (i.e. noise reduction similar to what Bose or others do in headsets)? What about noise suppression for repeating interferes in-band (again, think Bose, apparently one vendor does this)? What is the exact RX sensitivity for the analog portion of the receiver (it will be in a table in the FW)? How accurately is the analog portion calibrated (another table)? Etc.
There also are some legal issues. Some regulatory bodies forbid third party (i.e. users) modifications to the baseband. Which is why the FW is almost always signed and may be encrypted. March 17, 2023 at 11:16 pm Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars
