Let me clarify: it's not that some Pixel owners just haven't installed the March update yet. It's that Google hasn't released it it for some Pixel models.
Hang on - if I understand correctly, all of the following is true for Pixel 6, Pro, and 6a users??
- There's an exploit out there that lets attackers own my phone if they know my number
- A patch is not available for my phone yet
- It's not possible to work around the issue because a previous update removed the toggle
- Announcing this signals to every competent black hat worth their salt to begin looking for exploits on this chipset, knowing the reward is high and the method of pulling it off is implied to be simple
I really wish Google had delayed this blog post until after all of their currently supported flagship products were no longer affected...
I don’t think they’re legally required to do so. However they have a very aggressive publication schedule and selectively making exceptions for Google and not for competitors would look terrible, and possibly expose them to lawsuits.
That’s pretty funny. I just bought a pixel 6a with the intent of replacing my iPhone. About an hour of “how the hell do people put up with this shit” and it’s going. Then I wake up to this.
Your brain definitely gets trained on one system and moving off hurts. Hell, I've had my work Macbook for 5 years and I still curse the keyboard shortcuts that are all wrong (and the even more shortcuts that it's missing).
Yes I think it was a week late but is now being rolled out. People on Twitter are saying they don’t have it yet, which is the nature of individual experience.
That is only for CVE-2023-24033 thought, right? Not the other three that haven't been assigned CVE ID's?
> The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution.
I bought a Motorola RAZR 3G for $0.50 while farting around inside a Cashies a while back
Turns out it was still locked to Telstra, they demanded *$100* to unlock the damn thing, even though they were turning off their 3G network anyway!
Unfortunately all the resources on hacking them has long since succumbed to linkrot, plus getting it hooked up over USB to an XP VM to try and unlock it that way seemed risky
Germany and internet connection, I can't comprehend how one of the richest countries in the world, in such a small land mass can have such bad connectivity.
It's really baffling going here from Sweden where I'm starting to get 5G signal outside of core city areas, get 4G almost across the whole country with speeds of 50-100+Mbps, into the city centre of Berlin and there I fallback to 3G networks every 3rd/4th block walking.
Friends living there having terrible experiences with Telekom, almost no fiber available, etc.
> Germany and internet connection, I can't comprehend how one of the richest countries in the world, in such a small land mass can have such bad connectivity.
A combination of toxic financial mindset (back in the early '00s, finance minister Hans Eichel wanted a "balanced" budget and auctioned off the frequency licenses for dozens of billions of euros, saddling the carriers with the debt instead of the government), thoroughly incompetent politicians (Merkel's "Das Internet ist für uns alle Neuland" is just the tip of the iceberg), NIMBYs (sadly, projects for tower construction routinely end up in death threats, and since 5G conspiracies also in actual terrorist attacks), and a populace that to a large degree just doesn't give enough of a fuck.
Merkel is probably the worst German politician since...you know that guy.
Japan has a nuclear accident, caused by a tsunami and partly due to known issues in the power plant. Merkel: "Oh no, let's close down all our nuclear power plants right away."
Merkel: "Oh, we need more energy now when we closed all our nuclear power plants. No problem, my buddy Putin has agreed to build a gas pipeline and provide us will all energy we need."
Putin has been rattling his weapons on the border or Ukraine since 2014. Merkel: "No problem, I called my buddy Putin and he said he will not attack. And by the way, no need for us to invest in our defense. We can continue to have Europe's weakest army per capita as Putin said he would not attack."
Migrant crisis in 2015. Merkel: "Everyone is welcome! Smugglers, just send them here, we will show our solidarity. Oh, we do not have enough schools, daycare, hospitals to take care of them all? Oh, many are lost teenagers and children without parents who took the chance now when we said everyone was welcome? Well, I guess they can earn their living selling drugs and sex."
I agree Merkel was bad, but not that bad - Kohl was inarguably worse.
> Japan has a nuclear accident, caused by a tsunami and partly due to known issues in the power plant. Merkel: "Oh no, let's close down all our nuclear power plants right away."
The entire country was calling for the dismantling of the NPPs, and no one sans the FDP and the Nazis cares much about them any more, not even their operators.. As for the gas pipeline, thank former Chancellor Schröder for that one.
> Putin has been rattling his weapons on the border or Ukraine since 2014. Merkel: "No problem, I called my buddy Putin and he said he will not attack. And by the way, no need for us to invest in our defense. We can continue to have Europe's weakest army per capita as Putin said he would not attack."
A valid point, but one shared across the political spectrum except the Greens - everyone else from left to right and the entire leadership of the German industry was blinded by the prospect of cheap energy. It is unfair IMO to single out Merkel there.
> Migrant crisis in 2015. Merkel: "Everyone is welcome! Smugglers, just send them here, we will show our solidarity. Oh, we do not have enough schools, daycare, hospitals to take care of them all? Oh, many are lost teenagers and children without parents who took the chance now when we said everyone was welcome? Well, I guess they can earn their living selling drugs and sex."
The first part is a blank reproduction of common Nazi conspiracy myths - the "pull factor" has been thoroughly disproven by now, even with the EU being a deadly fortress at its borders, still thousands of people attempt to cross the Mediterranean each year. The latter is one of the worst interpretations you can give - I'd put that one rather on bland disinterest and fear of the far-right, not an intention to push people off to selling drugs.
Some areas were never built out with 2G but for the footprint that was always there they have not turned it off since it doesn't impact their spectrum very much. AT&T had poor spectrum planning so had to kill it off sooner to refarm the spectrum.
The Swedish regulator PTS intends to re-assign frequencies in the 900 MHz-, 2.1 GHz- and 2.6 GHz bands during 2023. This will most definitely sunset 2G and 3G in Sweden. With 1800 MHz already being re-assigned in 2017.
No you can’t. 3G SIMs were flagged a while back and the account holders were notified of the retirement. At one point they started blacklisting SIMs that connected to 3G because customers didn’t upgrade.
Careful if you put your SIM in a 3G only phone it may get blacklisted and you’ll need a new one.
It’s (probably) not the same bug, but gives you an idea of the state of baseband security and the attack surface. The baseband is an ARM chip running an RTOS.
The security situation is not pretty. We have here an XML parser running in the baseband RTOS which has a stack overflow bug. There are no stack canaries and it looks like there’s no ASLR or even NX so they get trivial shellcode execution. Although they didn’t demonstrate persistence or AP compromise, I can’t imagine either of those would be hard from the privileged baseband, especially if the baseband drivers are as bad as the baseband firmware seems to be.
but this statement about baseband mitigations is only partially true. Huawei Balong platform has ASLR and stack canaries now (and some Infineon too I believe), and all baseband platforms are improving (even Mediatek). I didn't check Qualcomm lately, but they have a lot of similar protections now.
It's not trivial to do a pivot to AP on modern iPhones or Android phones (excluding some categories) - especially with PAC (and MTE coming).
But yeah, (Samsung) Shannon are an attractive target for attackers due to easily obtainable firmware, strings, DWARF (elf) firmware that you can find and relatively good debugging platform. The bugs are generally pretty low hanging too.
This isn't the same on Qualcomm platforms (Hexagon is notoriously hard to RE and debug), or the iPhone platforms.
Yep. And the interface is not easily accessible for normal users so it's hard to fuzz, we're at the mercy of telcos telco-connected vendors for security testing.
Although this is a vulnerability in Samsung Exynos chipsets, ironically most Samsung flagship phones sold in the US shouldn't be affected because they use Qualcomm chipsets there rather than their own. The variants sold in Europe and Asia tend to have Exynos chipsets though, with the exception of the S23 series which is Qualcomm everywhere.
Right but it depends where the device was sold. A Galaxy S22 intended for Europe is built with a vulnerable Exynos SOC but a Galaxy S22 built for the US has a Snapdragon.
And you seem to be missing that of Samsung puts out Qualcomm and Exynos versions of the same phone, sharing a model number with a phone on that list doesn't preclude it from being unaffected
I just had a chat with Samsung support. They seem pretty clueless about the whole thing, and brushed off the disclosure on the semiconductor.samsung.com site as "not the official Samsung USA site".
There doesn't seem to be a user-friendly way to determine for sure which chipset you have. I think at the very least, Samsung ought to publish a little app for that immediately.
The Exynos variants usually are worse than the Qualcomm ones, the cynical take was that most prominent phone reviewers are based in the US so giving that market the superior chipset served to bait-and-switch the other markets into buying inferior hardware. It remains to be seen if Exynos will return for the S24 or they'll stick with Qualcomm across the board.
> the cynical take was that most prominent phone reviewers are based in the US
I don't think that's true, most of the reviews I read and watch on YouTube are made in Europe, UK, India.
When I worked at Samsung the reason was two-fold:
- There's a lot of internal competition, having two SoC suppliers for your flagship phones gives you leverage against both Qualcomm and in-house teams.
- Samsung treads lightly with US carriers. Using Qualcomm modems makes their certification process and field testing easier.
Dunno, the real complaint against exynos in favour of Qualcomm other than tribalism is that a lot of stuff was developed for Qualcomm with Adreno and not whatever GPU Exynos spouted at the time (custom weird thing early on, then PowerVR, nowadays Adreno). In USA they used Qualcomm due to CDMA shenanigans mainly.
Oh, and stuff like qualcomm-specific hacks people were used to from Jail broken HTC devices (like phone call recording) not working. Final minority complaint was essentially based on qualcomm devices being more popular so you had more resources for custom roms, despite the fact that Exynos meant no need to do complicated jailbreak to load a custom rom.
Personally I found no issue with Exynos chips whatsoever. Always some of the fastest stuff I had in my hands.
Most benchmarks showed Exynos falling behind in both performance and power effeciency for years. I don't know if this is still the case with the latest models, but many Exynos phones were also plain worse than their Qualcom counterparts.
Quite sad, really, because the space can use some competition.
That's very unfortunate. With their vertical integration, Samsung is one of the few companies that can actually compete with Apple if they can get the tech up to spec.
Can you source your claim that Exynos used weird GPUs? AFAIK, Exynos mostly used ARM Mali (the default for ARM chips) cores with the exception of the most recent iteration when they formed a partnership with AMD to use RDNA in the 2200 model. I am absolutely sure no Exynos chip ever used Adreno and I also think they never used PowerVR.
As for weird GPUs, the S3C2410 (which got renamed as Exynos post-factum) used weird Samsung-designed GPU (doubly weird because it was GLES2-only GPU yet Samsung Android phones had GLES 1.1 only on it). Then first few generations (Galaxy S, S2, S3, S4) used PowerVR GPUs
I hope it goes the other way. My recollection is that the Exynos phones were able to be bootloader unlocked and flashed with other ROMs while the Qualcomm ones were locked down forever. I've stayed away from Samsung phones for that reason.
"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely."
It's skilled attackers in proximity with radio gear and a laptop, right? This sucks for a lot of people but I don't think I'm on the list of targets such actors would care about.
I find myself wishing more and more for a wifi‐only tablet in a phone form factor.
Sure, I recognize that I’m in the minority here, as someone who keeps his phone in airplane mode/wifi‐only mode all the time. But it doesn’t mean giving up much: most of my messaging (including replying to texts and checking voicemails) can be done from the browser, GPS navigation works fine without an internet connection (maps can be trivially preloaded), and when I desperately need internet access while driving I can pull into any Starbucks, McDonalds, or Walmart.
Mostly I do this for philosophical reasons (basically, purposely downgrading the importance of phone notifications relative to what activities I’m physically doing at a given time), but the security advantage of smaller attack surface is a benefit I hadn’t considered.
It existed. It was called the iPod Touch. It was a full iPhone without a cellular modem.
It was discontinued, assumedly for low sales as more and more people gave their kids either iPads or hand me down iPhones instead of buying iOS touches like they used to.
If your goal is to reduce your attack surface, then yes, even a modem without a SIM is too much.
The modem in your phone isn't like a modem from the days of dialup, it's more like a cable modem. More often than not, the modem is its own entire microprocessor, ram, i/o, etc and then communicates with the device's CPU over a mixture of serial, i2c, spi, or other busses. For instance, in my Pinephone, the modem is a Qualcomm MDM9607, which is a single core arm cpu that has 256mb of ram and 256mb of nand on its package, it literally runs its own entire operating system (linux in its case) separate from what the CPU of the phone does.
This CPU can also have its own connection to the battery, which is how, for example, iPhones can remain 'findable' even when the phone's CPU is otherwise powered off and at rest. The modem sips at the little remaining power in the battery to power itself and the GPS chip to report the devices location.
As for 'removing the sim' that doesn't prevent the device from connecting to a network, just authenticating with it, typically. Your sim card is just a standard identifier and a little bit of storage that the modem can read and write to for things like storing contacts and SMS messages. All of which can be done in software as well (known as an eSIM these days).
Edit: Here's a link to the wiki page on the Pinephone's modem, just to give you an idea of what a cell phone's modem can be capable of, and keep in mind, it uses a rather old, outdated, and unpopular modem, other modems may have more features: https://wiki.pine64.org/wiki/PineModems
I don't think it's equivalent judging by the fact that you can still make emergency calls, which means it's able to talk to the network anyway. I remember than an older Samsung I had (GS3 IIRC) would show the signal level even withou a SIM installed.
Don't know what happens when you put it in airplane mode, though.
The baseband processor also performs real time audio and noise cancelling functions.
So while I have had some decent luck with VOIP and dialer apps that live solely in the application layer, voice quality and noise cancelling, etc., may not ever be as good as what the RTOS in the baseband can provide.
The source code for baseband software needs to be open source, I expect there are many more such vulnerabilities. I also wonder how many basebands contain Linux and are GPL violating.
None use Linux, most just use BSD licence software (or things like openssl). I haven’t seen any GPL code at all tbh.
But yep, would be nice if it was open source, although not sure how much that would help (only if sufficiently motivated auditors can be bothered to look at it). A bunch of baseband firmware is even encrypted on disk now (loaded into BB memory from the kernel)
So I got a little bit of time to check (https://github.com/Biktorgj/quectel_eg25_recovery/tree/EG25G... - the NON-HLOS), and it's still actually running a Qualcomm Hexagon baseband (40mb binary by Qualtec when combined using Gal's unify_trustlet script).
Load that into Hexagoon IDA plugin and you'll see it's bog standard Hexagon for all the remote GSM/LT code that actually does stuff (similar to the project zero research). I haven't verified (and don't own a Pinephone) but most Quectel boards I've seen in the past do enforce signature validation, so binary patches are not easy.
> Project Zero’s advice for those impacted follows:
>> Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.
> Google Pixel devices received software updates in 2021 that automatically enabled VoLTE and removed the toggle.
If you are currently, you probably have been vulnerable to this and many other undisclosed vulns for years, 3 days isn't going to move the needle much in terms of risk, but indeed it is a step to take.
Hear me out: we've long known that the current state of modems running their own tiny buggy unpatched is with way too much access to the device has been bad but no one could do much about it. A severe exploit like this doing actual damage to users of flagship phones from google and Samsung might be enough to finally change that. Unless it hurts the bottom line of those companies severely they won't change it. I think they should have released the info to force them to.
The Google Project Zero blog post implies that all Google Pixel models have received a fix, but really only some of them have, and it doesn't mention that the vulnerability can't be mitigated on them either. The 9to5Google post gets both of these things right, though: "the Pixel 6, 6 Pro, and 6a have yet to see that March update" and "Google Pixel devices received software updates in 2021 that automatically enabled VoLTE and removed the toggle."
So, essentially, you have to disable mobile data as well as wifi calling, thus disabling the ability to be called entirely until they release the march patch. Nice..
Hmm. WiFi calling is not a big deal. VoLTE however is. Some networks don't even support 2/3G anymore so VoLTE is the only way to make calls there.
I always thought it was ridiculous that LTE didn't come with a built-in voice mode that was just universally supported. VoLTE is more of an add on app on top of of data and a big cause of compatibility problems. It wasn't even finished when the rest of the LTE standard came out so many early phones came without support. And many still have to fall back to 3G during calls due to incompatibilities or networks blocking them due to "not invented here".
It's a mess compared to 2G/3G where you can just stick a sim card into any phone and know it will work just fine.
In a far future a data only network makes sense but we're not there yet and we definitely weren't when LTE was specced. Voice should have been an integral part of the standard.
> On Pixel phones, the main CVE-2023-24033 vulnerability was fixed with the March 2023 security patch that rolled out on Monday but should have come a week earlier.
> However, the Pixel 6, 6 Pro, and 6a have yet to see that March update and are currently vulnerable.
>On Pixel phones, the main CVE-2023-24033 vulnerability was fixed with the March 2023 security patch that rolled out on Monday but should have come a week earlier.
That means GrapheneOS is already protected against this vuln:
> allow an attacker to remotely compromise a phone at the baseband level
Aren't modern phones supposedly securely separate the baseband from the OS (Android)? Does this mean that voice and data can be intercepted, but at least other data might be safe?
Pure speculation, but I would guess that the interfaces to baseband are not particularly hardened, so an attack on the phone from the baseband might be trivial. Or worse, the baseband might have a trusted channel to launch arbitrary code.
This is not true on pretty much any phone post 2014ish. Pretty much all platforms have IOMMU's or similar separation mechanisms. source: did baseband vr commercially
Basebands have not had DMA for a long time. There can still be vulnerabilities, which it sounds like is what happened here, but there’s no DMA anymore on new phones.
..."Users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings."
Very kind of them to offer the freedom of choice to all those users who don't want to protect themselves!
Welp, turned off wi-fi calling but can't turn off VoLTE. I can set 3G, but since I'm on Fi, 3G won't work (T-mobile).. I get horrible 5G where I am, so it always goes to LTE.
VoLTE will work over 5G (and sometimes over 3G in esoteric configurations). It is very data centric, even using SIP for call control. A rule of thumb is, any time you have a data connection, VoLTE can be used.
This is why Wi-Fi Calling and VoLTE took off at roughly the same time. Once you can route calls as data, you can offer it over both cellular and Wi-Fi. (Wi-Fi Calling has an additional outer IPsec layer, but it is the same "guts" inside the tunnel.)
My understanding is that VoLTE/VoNR/VoWiFi is all the same 3G era IMS stack (with updates since then) and thus SIP over IP over either GPRS Tunnel Protocol over low level radio interface or WiFi
A shame! I have a Nokia Windows Phone that I used on 3.5G for a long time as a second phone, and now it's basically worthless other than maybe for a music player..
Okay, so can Google please consider doing more work to isolate the modem from the application processor in Pixel phones now? This is a disaster, but probably worse than it needs to be.
The pixel 6 modem has a bunch of known issues, to my understanding (certainly that's been the consensus when I've looked up solutions to my Pixel not getting a signal in the middle of Seattle until I toggle airplane mode on and off a few times). Hopefully this is the nail in the coffin for this modem series and they go back to using their previous modem
> Meanwhile, the other 14 vulnerabilities are considered not as severe as they “require either a malicious mobile network operator or an attacker with local access to the device.”
The kind of people with the resources to actively exploit this are the same kind of people who can compel the carriers to transmit whatever they want.
I wonder how you would be able to apply mitigations on carriers (like T-Mobile) that have turned off their 3G service. If you don't have a carrier which supports 3G (or lower), don't you need VoLTE turned on in order to make & receive voice calls?
It works for data and calls, not fast but since not much falls to it anymore it seems to rarely be congested. My coverage with it was always better than with their 3G network and I used it years past its prime for conserving battery (until they deployed low-band LTE). You need at least a 3G device to use new sim cards to get on 2G but if you've been a customer a long time and you haven't changed cards, there are still activated ones in the wild that work with old devices (I was able to get calls and SMS to work on a t68i, but needed to use a w810i to get working data when I tried a few months back).
> T2B3.230109.009.2023031500 (Pixel 6, Pixel 6 Pro, Pixel 6a) — 2023-03-05 Android patch level but only 2023-03-01 Pixel patch until a March stock OS release is published with updated firmware, etc. (marked as 2023-03-01 overall patch level in the OS)
Your baseband isn't protected. GrapheneOS patched Android, but the complete device set of images (firmware) is still vulnerable. That said, GrapheneOS does seem to implement its own additional baseband hardening.
That’s like saying an incompetent person who makes a lot of mistakes is somehow transformed into a malicious actor “at a certain point”. It’s just not true. It may help justify your emotional response to consider them so, but it’s not true.
That saying applies to inexplicable coincidences. It doesn’t mean that everything that happens three times is an attack. I live in Seattle. It rained three times this week. That is not enemy action.
