Google recommends disabling some features of smartphones and watches – vulnerabilities allow gadgets to be compromised without users’ knowledge

Google’s Project Zero team spoke about serious vulnerabilities that pose a threat to smartphones with Exynos modems used in the flagship Pixel 6 and 7, Samsung smartphones, Vivo and many wearable devices, mainly smartwatches. Luckily, their users have the option to protect their information before the software is updated.

Image source: SCREEN POST/unsplash.com

Project Zero identified 18 Exynos modem vulnerabilities in late 2022 and early 2023. Four of them, including CVE-2023-24033, allow attackers to remotely execute code on users’ devices and compromise phones without their involvement—just knowing the victim’s number is enough. Google believes that experienced attackers will be able to quickly create a working solution for use in unseemly purposes.

Another 14 vulnerabilities are not as critical and require either the involvement of an unscrupulous mobile operator or an attacker’s “local” access to the device. Project Zero said it made an exception to its policy of delaying vulnerability disclosure due to the threat level and the speed at which attackers could potentially create a working exploit. According to Samsung, as of January 2023, the problem will affect the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080 and Exynos Auto T5123 chips. Google has compiled a list of vulnerable products:

• Samsung Galaxy smartphones, including S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
• Vivo smartphones, including the S16, S15, S6, X70, X60 and X30 series;
• Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro;
• all portable devices with Exynos W920 chipsets;
• all vehicles with Exynos Auto T5123 chipsets.

In addition to Pixel 6 (Exynos 5123) and 7 (Exynos 5300), we are talking about the flagship Galaxy S22 and Galxy Watch 4 and 5. On some Pixel smartphones, the main vulnerability CVE-2023-24033 has already been fixed by the March security patch, released on Monday . However, the Pixel 6, 6 Pro and 6a have yet to receive the March update and are still vulnerable, according to 9to5google.

Project Zero is temporarily advising, pending software updates on all vulnerable smartphones, to protect themselves by disabling Wi-Fi and Voice over LTE (VoLTE) calls. According to Sprint/T-Mobile, VoLTE will be automatically enabled in Google Pixel smartphones thanks to updates in 2021 and cannot be disabled by traditional means, but you can disable the feature in models from other brands.