Remote hacking of Samsung, Google and Vivo smartphones: the problem and the solution

Vulnerabilities found in the Exynos chipset allow Samsung, Vivo and Google smartphones to be remotely hacked if the owner’s phone number is known. How is this possible, and how to protect yourself?

Zero-click remote hacks for Samsung, Google, and Vivo smartphones

Smartphones, tablets, and even cars with Samsung Exynos microprocessors are at risk of remote hacking. Bug hunters at Google Project Zero say you just need the victim’s phone number.

This is due to the presence of 18 vulnerabilities in the Exynos baseband radio processor, which is widely used in Google, Vivo, Samsung, and many other smartphones. Four of them are critical and allow an attacker to remotely execute code on a victim’s device without any action on their part. For the rest, either the mobile operator itself must perform malicious actions, or the hacker needs direct access to the device.
These vulnerabilities can be fixed only with a firmware update – yet to be released. But in the meantime you need to keep yourself and your phone safe. Thankfully, there are temporary protective measures you can take.

What is a BRP?

A baseband radio processor (BRP) is the part of a smartphone, tablet, or other smart technology that handles wireless cellular communication in second to fifth-generation devices:

  • 2G — GSM, GPRS, EDGE;
  • 3G — CDMA, W-CDMA;
  • 4G — LTE;
  • 5G — 5G NR.

The BRP usually doesn’t include Wi-Fi or Bluetooth functions.

Once a dedicated chip, for more than a decade now it has been commonly integrated with the CPU. Nevertheless, the BRP has its own memory and a rather complex command system — in fact, it’s a full-fledged highly-specialized processor that actively exchanges data with the CPU and main memory.

The BRP’s executable code is written into it by the vendor, and it’s effectively inaccessible to smartphone apps for analysis or modification. To the CPU, the BRP is a black box, but one with extensive access to the device’s main memory where user data is stored.

There are many companies that manufacture both CPUs and BRPs. Samsung’s arm that makes memory chips and other microelectronics is called Samsung Semiconductor. Its flagship series of chips, Exynos, is used in many (though not all) Samsung smartphones and tablets.

Vulnerabilities in Exynos

Project Zero researchers discovered that Exynos BRPs incorrectly process various service signals that the user receives from the cellular network. Upon receiving a malformed message, the chip can either freeze or, worse, run a piece of code loaded through the malicious message. Eighteen such bugs relating to service signal mismanagement were found, though to discourage hackers not all of these were described in detail.

Since the BRP handles all communication with the cellular network, malicious code can be used for a whole range of spying purposes: from tracking the victim’s geolocation to listening in on calls or stealing data from the smartphone memory. At the same time, because it’s a black box, the BRP is virtually impossible to diagnose or disinfect, except by reflashing.

The chips affected by the vulnerabilities are Exynos 850, 980, 1080, 1280, 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123.

Unfortunately, vendors don’t always disclose details about which chips are installed in which devices. Using publicly available data, it was possible to compile an incomplete list of devices that most likely use these chipsets. It includes the following models:

  • Samsung Galaxy A04, A12, A13, A21s, A33, A53, A71, M12, M13, M33, S22;
  • Vivo S6, S15, S16, X30, X60, X70;
  • Google Pixel 6, 6a, 6 Pro, 7, 7 Pro;
  • Any vehicles with the Exynos Auto T5123 chipset.

How to stay safe

The main way to protect yourself is by updating the BRP firmware, which usually occurs during a full firmware update of the smartphone. For instance, Google already released bug fixes for the Pixel 7 and 7 Pro as part of its March update. Unfortunately, the Pixel 6 and 6 Pro are still vulnerable at the time of posting. We recommend that Pixel owners install the latest firmware through their smartphone settings without delay.

Samsung has also released code updates for the Exynos BRPs, but has yet to fix all the vulnerabilities. What’s more, the vendor of each particular device containing these chips must independently package these fixes into their new firmware. At the time of posting, such firmware for other vulnerable devices was not yet available. It goes without saying that you’ll need to install these updates as soon as they appear.

Until then, Project Zero researchers recommend disabling Voice over LTE (VoLTE) and Wi-Fi calling on smartphones with Exynos BRPs. This may degrade the quality of voice calls and slow down call connection, but will have no impact at all on the speed and quality of internet access. Until the release of the new firmware, this will protect devices from potential hacking, albeit with some loss of functionality.