Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs the victim’s phone number.

Google’s Project Zero unit is calling urgent attention to multiple security defects found in Samsung’s Exynos chipsets, warning that attackers can remotely compromise a phone at the baseband level with no user interaction whatsoever.

Project Zero leam lead Tim Willis said his researchers reported at least 18 zero-day vulnerabilities in the Exynos modems produced by Samsung Semiconductor and used in the company’s flagship Galaxy devices.

In some cases, Willis said an attacker would only need to know the victim’s phone number to exploit the bugs in what is being described as “Internet-to-baseband remote code execution” issues.

“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit ...