Why Google is Urging Android Phone users to Switch off Wi-Fi Calling
If you own an Android phone that uses a Samsung Exynos chipset, you might want to pay attention to this. Google has recently discovered multiple security flaws in these chipsets that could allow hackers to take over your phone remotely by just making a call to your number. Sounds scary, right? Well, it is. Here’s what you need to know about this serious threat and how you can protect yourself.
What are the security flaws and how do they work?
The security flaws are located in the baseband of the Exynos chipset, which is responsible for processing voice calls. The baseband is a crucial component of any phone, as it connects it to the cellular network and enables communication. However, it also has privileged access to the phone’s hardware and software, which makes it a tempting target for hackers.
Google’s Project Zero team, which specializes in finding and reporting zero-day vulnerabilities (i.e., flaws that are unknown to the vendor and have no patch available), has identified four such flaws in Samsung’s Exynos chipsets between late 2022 and early 2023. One of them has been assigned a CVE identifier (CVE-2023-24033), while the other three are still unnamed.
According to Project Zero’s Tim Willis, these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. The attacker can then execute malicious code on the phone, access its data, spy on its activities, or even brick it.
The attack works by exploiting a weakness in how the baseband handles Wi-Fi calling and Voice-over-LTE (VoLTE) protocols. These protocols allow users to make high-quality voice calls over Wi-Fi or 4G networks instead of using traditional cellular signals. However, they also introduce new attack vectors for hackers who can craft specially designed calls that trigger buffer overflows or memory corruption errors in the baseband firmware.
Which Devices are Affected and How can you Check?
The vulnerability affects only those devices that use Samsung’s Exynos chipsets made by its semiconductor division. This means that some of the most popular Android phones on the market are at risk, including:
- Samsung Galaxy phones including the international version of the S22
- Pixel 6 and 7, including pro models
- Any automobiles that rely on the Exynos Auto T5123 chipset
- Galaxy Watch 4 and 5
- Wearable devices that contain the Exynos W920 based motherboard
To check if your device uses an Exynos chipset, you can use an app like CPU-Z or Device Info HW from Google Play Store. Alternatively, you can look up your device model online and see what kind of processor it has.
Note that not all Samsung devices use Exynos chipsets. For example, the US version of Samsung Galaxy S22 uses a Qualcomm Snapdragon chipset instead, which is not affected by this vulnerability.
How can you protect yourself until a patch is available?
Google has already released a patch for vulnerable Pixel models earlier this month. Samsung has also developed a patch for CVE-2023-24033 (the most critical flaw), but it has not yet delivered it to end users. There is no word on when patches for the other three flaws will be ready or distributed.
Until then, Google advises users who wish to protect themselves from these baseband remote code execution vulnerabilities to turn off Wi-Fi calling and VoLTE in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities but will also reduce your device’s calling capabilities.
However, some users have reported that they cannot turn off VoLTE on their devices because there is no option available in their settings. This could be due to carrier restrictions or firmware limitations. In that case, there is not much you can do except wait for an update from Samsung or your carrier.
Another possible mitigation strategy is to use a VPN service when connecting to public Wi-Fi networks or untrusted cellular networks. A VPN encrypts your internet traffic and prevents hackers from intercepting or tampering with it. However, this may not be enough to stop sophisticated attackers who can bypass VPNs or target other parts of your device.