Google LLC’s Project Zero cybersecurity research team has discovered 18 vulnerabilities in mobile and auto chips made by Samsung Electronics Co. Ltd.

The search giant disclosed the vulnerabilities on Thursday. According to Google, chips containing the security flaws can be found in 11 of Samsung’s Galaxy handsets. The chips also power some handsets from Vivo Communication Technology Co. Ltd., as well as Google’s own Pixel 6 and Pixel 7 smartphone lines.

Google typically shares technical details about the vulnerabilities that it discovers. However, the company has opted to delay the release of technical information about four of the 18 vulnerabilities it revealed on Thursday. The reason is that they have the potential to pose a severe cybersecurity risk to users. 

According to Google, the four security flaws in question allow hackers to remotely compromise a vulnerable handset without requiring any action on the user’s part. As a result, a device can be breached even if the user doesn’t click on a malicious link or download malware. That theoretically makes it easier for hackers to successfully carry out cyberattacks.

“Those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” detailed Tim Willis, the head of Google’s Project Zero cybersecurity research team. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”

Samsung detailed in a security advisory that one of the four vulnerabilities, CVE-2023-24033, is a memory corruption flaw. This is a type of software bug that allows certain sections of a device’s memory, and the data they contain, to be overwritten. Hackers can use such bugs to overwrite portions of a device’s data with malicious code.

The 14 other vulnerabilities Google uncovered are believed to be less severe. According to the company, they can be exploited only if a device falls into the hands of hackers or connects to a “malicious mobile network operator.”

Samsung has posted security advisories for five of the 14 less severe vulnerabilities. According to the advisories, three of the five vulnerabilities are heap buffer overflow flaws. Such flaws emerge when too much data is written to a section of a device’s memory and the excess information overwrites nearby memory blocks.

According to Samsung, the vulnerabilities affect several chips from its Exynos line of mobile processors. The processors feature a system-on-chip design that combines a central processing unit, a graphics card and other processing modules. Additionally, there’s a built-in modem for connecting to carrier networks. 

Samsung also sells standalone modem chips that third-party handset makers can embed in their devices. According to the company, two of its 5G modems are affected by the vulnerabilities. Samsung also determined that hackers can target its Exynos Auto T5123 chip, a vehicle processor for facilitating 5G network access in cars.

Patches have not yet been released for all the devices affected by the vulnerabilities. Until a fix becomes available, users can block the vulnerabilities by turning off Wi-Fi calling and voice-over-LTE in their device settings. Google patched its Pixel devices earlier this year and Samsung is expected to release security updates for affected Galaxy devices further down the road. 

Photo: Samsung