Skip to main content

Google: Turn off VoLTE, Wi-Fi calling due to severe Exynos modem vulnerabilities on Pixel 6, more

Google’s Project Zero team discovered severe 0-day vulnerabilities with the Samsung Exynos modems used on the Pixel 6 and 7, Samsung phones and wearables, and other devices that warrant disabling VoLTE and Wi-Fi calling until patched.

Update 3/20: With Google’s March 2023 update, the Pixel 6 and 7 families are protected against “all four Internet-to-baseband remote code execution vulnerabilities” (CVE-2023-24033 + CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498).

Additionally, Samsung Semiconductor has since said that the Exynos W920 was never impacted.

Exynos modem vulnerabilities

Known for finding 0-days, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. Four of the vulnerabilities, including CVE-2023-24033, involve internet-to-baseband remote code execution (emphasis ours):

Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

Meanwhile, the other 14 vulnerabilities are considered not as severe as they “require either a malicious mobile network operator or an attacker with local access to the device.”

Project Zero is making a “policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution.” This is “due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted.”

Affected devices

According to Samsung Semiconductor (January 2023), these are the affected chipsets: Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123. Google compiled a list of likely affected products:

  • Samsung Galaxy phones including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series
  • Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
  • Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
  • Any vehicles that use the Exynos Auto T5123 chipset

Top comment by Monnymac

Liked by 85 people

So Google is telling me my Pixel 6 is vulnerable to this, and it's a serious issue. But they have not resleased the patch for for my phone yet. So they tell me in the meantime to turn off wi-fi calling and VoLTE, but removed the toggle to turn off VoLTE. Do I have this right?

View all comments

Besides the Pixel 6 (Exynos 5123) and 7 (Exynos 5300), this includes the S22, as well as the Galaxy Watch 4 and 5. On Pixel phones, the main CVE-2023-24033 vulnerability was fixed with the March 2023 security patch that rolled out on Monday but should have come a week earlier.

Turn off VoLTE and Wi-Fi calling

However, the Pixel 6, 6 Pro, and 6a have yet to see that March update and are currently vulnerable. Project Zero’s advice for those impacted follows: 

Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.

According to an older Sprint/T-Mobile support article, “Google Pixel devices received software updates in 2021 that automatically enabled VoLTE and removed the toggle.” You can disable Wi-Fi calling on Pixel phones in Settings app > Network & internet > SIMs > Wi-Fi calling.


FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: