Security Bits Logo no alpha channel

Security Bits — 19 March 2023

Deep Dive — Critical Android Base-Band Vulnerabilities❗

TL;DR: this is bad — remote code execution without user interaction over the cellular network, combined with the usual level of security confusion that goes with Android’s model. Unless your Android device is on the list of known-patched devices, or unless your vendor has explicitly announced that they are not using an affected cellular modem, assume you are in danger, and apply the workaround (turn off Wi-Fi calling & Voice-over-LTE AKA VoLTE).

Mobiles phones contain a sub-system designed for communicating with cellular networks. These sub-systems handle the radio communications between the phones and the cell towers, and they are highly independent from the rest of the phone, they don’t just have their own firmware, they contain an independent processor, and run their own mini OS. This mini OS has a privileged relationship with the phone’s primary OS, making it possible for malware to migrate from the base-band OS to the core Android OS, and to do so with system-level privileges.

Different cellular modem manufacturers use different hardware, firmware, and software for their base-band chips, so these kinds of vulnerabilities don’t generally affect all Android devices.

Google’s Project Zero have announced the existence of four critical bugs that allow an attacker knowing nothing more than a victim’s cellphone number to remotely take over the devices without any user interaction, and entirely stealthily. This is the kind of vulnerability that grey-hat companies like the NSO group leverage to create spyware products like the infamous Pegasus. That level of access would of course also be a positive boon for cyber criminals who could steal passwords, private keys, MFA codes, and more in order to steal identities, money, and cryptocurrency wallets.

Most unusually, the Project Zero team have chosen to withhold the details of the vulnerabilities despite the using 90-day window having expired. These bugs are so bad they are making a rare exception.

As well as not knowing how the bugs work, we only have a vague idea of what devices are and are not affected. We know that Google have patched the vulnerabilities in the latest software updates for their Pixel phones and that many Samsung devices are affected, but beyond that, there’s very little clarity.

Thankfully there is a workaround for anyone not using a Pixel device — turn off Wi-Fi calling and Voice-over-LTE (VoLTE).

If you’re using a non-Pixel Android device, apply the workaround now, and check with your manufacturer whether or not your device has a patch for CVE-2023-24033.


❗ Action Alerts

Worthy Warnings

Notable News

Excellent Explainers

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top