Replying to Avatar Warren Togami

According to Google Project Zero they discovered 0-day "Internet-to-baseband remote code execution" affecting many millions of Samsung and Pixel 6+ modems.

Read it for yourself. It sounds very bad. If you have an affected phone you may want to turn off your SIM card because the recommended "turn off VoLTE and WiFi calling" is impossible for many of these phones after they removed the VoLTE option back in 2021.

Only thing you can do is turn it off and put pressure on the vendors to fix it.

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

The writer claims it's already patched by Google in the March 2023 patch level. Unfortunately that patch had been withheld from Pixel 6* due to bugs so the blog is incorrect about this already being fixed for Pixel owners.

It sounds like Samsung has a much bigger mess due to the wider variety of phones, firmwares, and providers for which they must now rush an update without breaking it. Not an easy task but they must do it.

Don't blame Google for releasing this advisory. Samsung had months to respond in a timely manner.

Do blame Google for failing to protect their own customers prior to their own advisory. I like Pixel and I want them to do better.

Avatar
Warren Togami 2y ago

If you have Pixel 6 and can't wait for the rumored patch tomorrow you can instead opt-in to QPR3 Beta also with the March 2023 patch level. Read the release notes and "top open issues" to decide for yourself if it is worth being stuck in beta until June.

"March 20th" is rumored from a screenshot of a customer service rep. Even if it is made available to the public tomorrow, there there is no guarantee you'll get it immediately from OTA as providers also need to approve of updates.

The beta known bugs don't look too bad to me.

My primary concern about being stuck in the beta stream until June would be it is time consuming to apply patches multiple times per month. Otherwise I'm not too concerned about running the beta and seeing new features months before other people.

https://developer.android.com/about/versions/13/release-notes

Reply to this note

Please Login to reply.

Discussion

Avatar
Luke Dashjr 2y ago

Even if providers don't approve the OTA, you can download and sideload it.

The big question IMO is whether all 14 vulnerabilities are fixed, or only a subset...

Avatar
Luke Dashjr 2y ago

Update: At least the 4 major ones were fixed