在十多天前,安全分析團隊 Project Zero 披露了 Exynos Modem 內有多個 0-day 漏洞,當中四個漏洞可以讓駭客輕鬆地訪問受影響的手機,並取得控制權。0-day 漏洞是指廠商之前不知道的缺陷。
這些漏洞是在 2022 年底至 2023 年初期間發現的,其中四個允許進行從網際網路到基帶遙距執行程式碼,其餘十四個被定為較不嚴重,因為需要透過網絡商和駭客直接存裝置。其中涉及較嚴重的漏洞,攻擊者只需要知道某人的電話號碼就就能利用,並在遠程和靜默的情況下破壞受害者的手機。Project Zero 研究團隊建議仍然存在漏洞的手機用戶應停用 Wi-Fi 語音和 VoLTE(Voice-over-LTE)。
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.
根據三星網站,這些漏洞存在於其 Exynos Modem 5123 和 Exynos Modem 5300,以及 Exynos 980 和 Exynos 1080 晶片中。
– Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
– Vivo S16, S15, S6, X70, X60 and X30 series
– Google Pixel 6, Pixel 7 series
Google Samsung 陸續推出安全更新
Google 方面已著手為 Pixel 6、Pixel 6 Pro、Pixel 6a、Pixel 7 和 Pixel 7 Pro 發布安全更新修補這些漏洞。至於 Samsung 方面,在美國 Samsung Community Forum 上星期一位 Community Manager 就貼文表示,上述 Exynos Modem 中發現的六個漏洞中有五個在三月得到了修補,剩下的漏洞將在下個月進行修補。
Hello, We understand the concern of vulnerabilities. Samsung takes the safety of our customers very seriously. After determining 6 vulnerabilities may potentially impact select Galaxy devices, of which none were ‘severe’, Samsung released security patches for 5 of these in March. Another security patch will be released in April to address the remaining vulnerability.