Google has revealed only four critical areas zero-day bug affects a wide range of Android phones, including some of its own Pixel models.
These bugs are a little different from your typical Android vulnerabilities, which usually affect the Android operating system (which is based on Linux) or the applications that come with it, such as Google Play, Messages or the Chrome browser.
The four bugs we are talking about here are known as baseband weaknessesmeaning they exist in special mobile phone networking firmware that runs on the phone’s so-called baseband chip.
speaking sternly, baseband is a term used to describe the primary, or lowest frequency component of an individual radio signal, in contrast to a broadband signal, which (very loosely) consists of multiple baseband signals tuned to multiple adjacent frequency ranges and transmitted at the same time to increase data rates, reduce interference, share the frequency spectrum more widely, complicate monitoring, or all of the above. The word baseband is also used metaphorically to describe the hardware chip and associated firmware used to handle the actual sending and receiving of radio signals to devices that can communicate wirelessly. (A bit confusing, the word baseband usually refers to the subsystem in a phone that handles connecting to the mobile phone network, but not the chips and software that handle Wi-Fi or Bluetooth connections.)
Your mobile phone’s modem
Baseband chips usually work separately from the “non-phone” parts of your mobile phone.
They actually run their own miniature operating system, on their own processor, and work alongside your device’s main operating system to provide connectivity to the mobile network for making and answering calls, sending and receiving data, roaming on the network, and so on. .
If you are old enough to use dialup internet, you will remember that you need to buy a modem (short for modulator-and-demodulator), which you plug into either a serial port on the back of your PC or an expansion slot inside it; the modem connects to the telephone network, and your PC connects to the modem.
Well, your mobile phone’s baseband hardware and software is, very simply, a built-in modem, usually implemented as a sub-component of the phone’s so-called SoC, short for system-on-chip.
(You can think of an SoC as a kind of “integrated integrated circuit”, where separate electronic components that used to be interconnected by mounting them close to a motherboard are further integrated by combining of them in a single chip package.)
In fact, you’ll still see baseband processors referred to as baseband modembecause they still handle the business of modulating and demodulating the sending and receiving of data to and from the network.
As you can imagine, this means that your mobile device is not only at risk from cybercriminals through bugs in the main operating system or one of the apps you use…
…but also at risk from security vulnerabilities in the baseband subsystem.
Sometimes, baseband flaws allow an attacker to not only get into the modem itself from the internet or the telephone network, but also get into the main operating system (moving sidewayso spinningas the jargon calls it) from the modem.
But even if crooks can’t get past the modem and onward to your apps, they can almost certainly do you massive cyberharm just by planting baseband malware, like sniffing or transferring your network data , snooping on your text messages, monitoring your phone calls, and more.
Worse, you can’t just look at your Android version number or the version numbers of your apps to see if you’re vulnerable or patched, because the baseband hardware you have, and the firmware and patches that you need for this, depends on your physical device, not the operating system you are running on it.
Even devices that are in all obvious respects “identical” – sold under the same brand, using the same product name, with the same model number and external appearance – can have different basebands chips, depending on which factory assembled them or in which market they were sold.
The new zero-days
The recently discovered bugs by Google are described as follows:
[Bug number] CVE-2023-24033 (and three other vulnerabilities not yet assigned CVE identities) allow for internet-to-baseband remote code execution. Tests conducted by [Google] Project Zero confirms that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, and only requires the attacker to know the victim’s phone number.
With limited additional research and development, we believe that skilled attackers can quickly create an operational exploit to compromise affected devices silently and remotely.
In plain English, an internet-to-baseband remote code execution hole means that criminals can inject malware or spyware over the internet into the part of your phone that sends and receives network data…
…without capturing your actual device, luring you to a rogue website, luring you to install a suspicious app, waiting for you to click the wrong button on a pop-up warning, giving themselves away with a suspicious notification, or trick you in some other way.
18 bugs, four kept semi-secret
There are 18 bugs in this latest batch, which Google reported in late 2022 and early 2023.
Google says it’s disclosing their existence now because the agreed-upon time has passed since they were disclosed (Google’s time period is usually 90 days, or close to it), but for the four bugs above, the company does not disclose any details, noting that :
Due to an extremely rare combination of the level of access these vulnerabilities provide and the speed at which we believe a reliable operational exploit can be made, we have decided to make an exception to the policy to delay disclosure for four vulnerability that allows for internet-to-baseband remote code execution
In plain English: if we tell you how these bugs work, we’ll make it very easy for cybercriminals to start doing really bad things to a lot of people by secretly planting malware on their phones.
In other words, even Google, which has attracted controversy in the past for refusing to extend its disclosure deadlines and for openly publishing proof-of-concept code for zero-days that have not yet been covered , has decided to follow the spirit of its responsible Project Zero. disclosure process, rather than sticking to its letter.
Google’s argument for generally sticking to the letter and not the spirit of its disclosure rules is not entirely unreasonable. By using an immutable algorithm to decide when to reveal details of unpatched bugs, even if those details could be used for evil, the company argues that complaints of favoritism and subjectivity can be avoided, such as, “Why did company X get an extra three weeks to fix their bug, while company Y did not?”
What to do?
The problem with bugs that are announced but not fully disclosed is that it’s hard to answer the questions, “Am I affected? And if so, what should I do?”
Apparently, Google’s research focused on devices that used a Samsung Exynos-branded baseband modem component, but that doesn’t mean the system-on-chip will identify or brand itself as Exynos.
For example, Google’s recent Pixel devices use Google’s own, branded system-on-chip Tensorbut both Pixel 6 and Pixel 7 are vulnerable to these semi-secret baseband bugs.
As a result, we can’t give you a definitive list of potentially affected devices, but Google reports (our emphasis):
Based on information from public websites that map chipsets to devices, the affected products likely include:
- Mobile devices from Samsungincluding those in S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Mobile devices from Vivoincluding those in S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google; and
- any vehicle using Exynos Auto T5123 chipset.
Google says the baseband firmware on the Pixel 6 and Pixel 7 has been patched as part of the March 2023 Android security updates, so Pixel users should make sure they have the latest patches for their devices.
For other devices, different vendors may take different lengths of time to send their updates, so check with your vendor or mobile provider for details.
In the meantime, these bugs can probably be sidestepped in your device settings, if you:
- Turn off Wi-Fi calling.
- Turn off Voice-over-LTE (VoLTE).
On Google words, “Turning these settings off will remove the risk of exploiting these vulnerabilities.”
If you don’t need or use these features, you can also turn them off until you know what modem chip your phone has and if it needs an update.
After all, even if your device turns out to be invulnerable or patched, there’s no downside to not having things you don’t need.
featured picture from Wikipedia, by user Köf3under the CC BY-SA 3.0 license.