Google’s security research team has discovered some major vulnerabilities in Pixel and Samsung Galaxy phones that you’ll want to protect yourself against as soon as you can.
The issues were discovered in the Exynos modems produced by Samsung that are used by a variety of smartphones including the Google Pixel 6, Google Pixel 7, and Samsung Galaxy S22 among others.
As revealed in the Project Zero team’s blog post (opens in new tab) people using a device that relies on this chip will want to turn off Wi-Fi calling and Voice-over-LTE in their device settings in order to protect themselves until a security patch is released. The affected devices are:
- Samsung's S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series phones
- Vivo's S16, S15, S6, X70, X60 and X30 series phones
- Google's Pixel 6, Pixel 6 Pro, Pixel 6a, and Pixel 7 phones
- any wearable with the Exynos W920 chipset
- any vehicle using the Exynos Auto T5123 chipset
However, not every version of every device is affected. For example, the European Samsung Galaxy S22 uses a vulnerable Exynos modem, but the American version doesn't. But for other devices, like the A53, all versions of that phone use the vulnerable Exynos 1280.
So before turning off Wi-Fi calling and Voice-over-LTE you might want to double check your exact model is indeed impacted using Samsung's official information (opens in new tab).
How can you protect your phone?
For its part, Google says the March 2023 security update that's been rolled out to Pixel 6 and Pixel 7 phones should patch these issues.
In a statement we received, Samsung told us that it takes its customer's safety seriously and it has released a patch for five of six vulnerabilities impacting select Galaxy devices this month. Another security patch will be coming in April to address the remaining vulnerability, so make sure your device is up to date if you want it to be protected.
In the meantime, you can protect yourself by going into your phone’s Settings. Using the search option look for “Wi-Fi Calling” and you’ll see a toggle to turn it on or off in the Connections sub-menu. If you want your Samsung phone to be secure you’ll want to turn it off, though you’ll then lose access to the feature until you turn it back on.
To turn off Voice-over-LTE, head back to the Connections menu and this time tap on Mobile Networks. You should then see a new list of options and toggles next to “VoLTE calls SIM 1” and “VoLTE calls SIM 2” (though the second option will only appear if you have two SIMs installed). Turn the toggles off and that should mean your phone's protected against the vulnerabilities discovered by Project Zero.
Turning off these features will mean your calls are lower quality, but you should still be able to make calls.
Analysis: Why reveal these flaws?
If these flaws represent serious risks to our devices, why would Google Project Zero reveal them? Wouldn’t it be better to keep them private so hackers don’t know they exist?
Project Zero does keep the most serious of exploits private only sharing them with relevant device manufacturers to ensure that they aren’t abused by bad actors. But for other security vulnerabilities, it can be better to keep a wider net of people in the loop.
For one, there is a way for us to protect ourselves from attacks that take advantage of these vulnerabilities – until a patch is rolled out you can turn off Wi-Fi calling and Voice-over-LTE as we explained above. For another, it’s possible these exploits aren’t too difficult to discover, so by keeping them hidden from the public Project Zero runs the risk of leaving regular folks in the dark while hackers run rampant.
Lastly, revealing the issues should encourage device manufacturers to roll out a patch asap. Now not only is Google’s Project Zero team hounding them to fix the issue, but device owners can also reach out through official forums and contact forms to get their phone maker to fix the problem.
Looking for a phone that's not impacted by this modem issue? Check out our picks for the best phone to find several options that don't rely on the affected Exynos modem.