The Project Zero team of security analysts working at Google, has published a report that a critical vulnerability has been discovered in some smartphones and smartwatches based on Exynos chips manufactured by Samsung Semiconductor. By exploiting this vulnerability, attackers can remotely compromise a phone without user interaction, and the attack only requires the attacker to know the victim’s phone number.
Samsung Semiconductor’s advisory provides a list of Exynos chipsets affected by these vulnerabilities. Based on information from publicly available websites that display chipsets for devices, the affected products likely include:
- Mobile devices from Samsung, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, Samsung Galaxy Watch 4, and Samsung Galaxy Watch 5;
- Mobile devices from Vivo, including the S16, S15, S6, X70, X60, and X30 series;
- Pixel 6 and Pixel 7 series devices from Google;
- any devices, including cars, that use the Exynos Auto T5123 chipset.
Users are advised to immediately install the latest updates that Google has already released for their devices or disable Wi-Fi and Voice-over-LTE (VoLTE) calls in their device settings.
The Project Zero website also reports that “According to our standard disclosure policy, Project Zero discloses security vulnerabilities within a set time after notifying the software or hardware vendor. In some rare cases, when we have assessed that attackers would benefit significantly more than defenders if a vulnerability were disclosed, we make an exception to our policy and delay disclosure of that vulnerability.” This means that the discovered vulnerability is extremely dangerous.