Keeping up with the latest security news isn’t easy. It seems every week there’s a fresh threat on at least one of our devices to watch out for. This time around, though, it’s a doozy: If you have a Samsung Galaxy or recent Google Pixel, hackers might be able to break into your phone with just your phone number alone.
Project Zero, a security research team from Google, discovered a whopping 18 zero-day vulnerabilities with Samsung Exynos modems late last year into early 2023. Zero-day vulnerabilities are dangerous because bad actors know about them before software and hardware vendors do, which raises the possibility of an attack significantly.
Even worse in this case, four of the 18 zero-days allow for what’s called “Internet-to-baseband remote code execution,” in which a hacker can take over your phone with no input on your part. All they need to know is your phone number, and they’re in, assuming you have one of the affected devices.
Samsung’s Exynos modem (not to be confused with the Exynos SoC, which is common in Galaxy devices outside the U.S.), is the part of your smartphone that powers phone calls. Project Zero believes this to be the complete list of affected devices:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- The Pixel 6 and Pixel 7 series of devices from Google
- Any vehicles that use the Exynos Auto T5123 chipset
Updates are here to protect from this latest Android security threat
In short, it’s bad news. But there is good news. Patches and updates are already available for users to fix their devices. Google, for one, fixed all four critical vulnerabilities with the March update. If you have a Pixel 6 or Pixel 7, make sure you update ASAP if you haven’t already to protect yourself.
G/O Media may get a commission
The news is similar on the Samsung side. The company has patched five of six noted security vulnerabilities in its March update, which is interesting considering Project Zero notes four critical vulnerabilities. What’s more, Samsung doesn’t consider the six vulnerabilities it identifies as “critical.” If they relate to these zero-day modem vulnerabilities, however, I’d beg to differ.
How to protect your Samsung Galaxy while waiting for the final patch
So, the immediate action to take is to update your Pixel or Galaxy device as soon as possible. But there is still the unpatched vulnerability on the Galaxy side, which Samsung says should be ready in April. To shore up your security while you wait, you may want to consider disabling wifi calling, which can help protect against this internet-to-baseband remote code execution. To do so, go to Settings > Connections, then disable “Wi-Fi Calling.”
Disabling VoLTE (Voice Over LTE) is another solution, but there are two problems there. One, it impacts your ability to make and receive phone calls, but more importantly, it’s not really doable on your end, since it’s now controlled by your carrier. You can get around this by switching your Network mode to “2G/3G”…but who wants to live like that? In my view, keep your phone connected to LTE or 5G, disable wifi calling, and wait for Samsung to issue the final patch.