Google’s Project Zero team discovered severe 0-day vulnerabilities with the Samsung Exynos modems used on the Pixel 6 and 7, Samsung phones and wearables, and other devices that warrant disabling VoLTE and Wi-Fi calling until patched.
Known for finding 0-days, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. Four of the vulnerabilities, including CVE-2023-24033, involve internet-to-baseband remote code execution (emphasis ours):
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
Meanwhile, the other 14 vulnerabilities are considered not as severe as they “require either a malicious mobile network operator or an attacker with local access to the device.”