back to article Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs

Google security analysts have warned Android device users that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack and remote-control their handsets knowing just the phone number. Between late 2022 and early this year, Google's Project Zero found and reported 18 of these bugs …

  1. Sunset

    Good luck with that

    Of the US nationwide carriers, only one even has a non-VoLTE voice capability left (T-Mobile) and that's straight GSM - and going away soon. A lot of modern phones don't even have a way to turn VoLTE off from the GUI.

    Perhaps the mad rush to kill off GSM, UMTS/HSPA, and CDMA was actually a mistake?

    1. doublelayer Silver badge

      Re: Good luck with that

      "Perhaps the mad rush to kill off GSM, UMTS/HSPA, and CDMA was actually a mistake?"

      The problem here isn't intrinsic to VoLTE, so I'm not sure it's fair to blame the shutoff for something that Samsung's code caused. It was going to be turned off at some point eventually, and people have been making VoLTE-capable modems unaffected by this exploit for quite a while. I'm not sure how long a deprecation should be extended for a a just in case backup option for a problem not caused by the new version.

    2. Charlie Clark Silver badge
      Stop

      Re: Good luck with that

      Depends what your priorities are. Packet based stuff allows more efficient use of spectrum than connection-based stuff and data outstripped voice on mobile networks over a decade ago.

      Also, this doesn't mean that other methods couldn't be, or haven't already been, hacked.

  2. Omnipresent Bronze badge

    bwahahahhahahaha

    that is all.

  3. emfiliane

    Wifi calling on? Really?

    Unless you're often spending your time in the basement or a remote chalet, you should turn Wifi calling off anyway, unless you prefer dead air pickups, constant echo, warbling, and stutter, and total inability to receive verification calls and texts from most sites.

    1. RPF

      Re: Wifi calling on? Really?

      Or perhaps you live somewhere with no/poor signal, like 5% of the UK.

      Perhaps - like me - your house was build in the 16th century and has 3-foot thick walls which block mobile signal.

      1. John Sager

        Re: Wifi calling on? Really?

        Sadly though, WiFi Calling is a poor substitute for a femtocell device. We used to have Sure Signal from Vodafone but they turned that off and we've had no end of trouble with WiFi Calling. There seems to have been no interest in a LTE femtocell to replace the 3G ones.

        1. Paul Crawford Silver badge

          Re: Wifi calling on? Really?

          Sadly this is what passes for "progress" - use the cheapest solution even if it sucks donkey balls.

      2. doublelayer Silver badge

        Re: Wifi calling on? Really?

        To be fair, they did basically start with some examples that, in their generic form, can be paraphrased as "unless you have no or bad signal". Since you have no signal, you would fall into that category of people with a good reason to use WiFi calling.

        I had that situation at one point and enabled WiFi calling to deal with it, and I have to admit that I had several problems whenever it was operational. I'd answer a call and could hear nothing for the first five seconds. I seemed to have several seconds delay before an incoming call would make my phone ring, meaning I had less time to pick up before it went to voicemail. I had people reporting that my sound quality was worse even though I was using the same microphones on the same device and my WiFi was fast and low-latency enough to be able to handle it. This may have improved in the five years since I had to employ it, but I was glad to switch it off when I went somewhere that has signal.

      3. iron

        Re: Wifi calling on? Really?

        Surely they also block WiFi. The far less than 3' thick tennement walls here do a pretty good job.

        1. CrazyOldCatMan Silver badge

          Re: Wifi calling on? Really?

          Surely they also block WiFi

          Try installing wifi into a castle. That was fun..

          (Their h/w budget was initally enough to do a couple of rooms. They'd forgotten that EMF is notoriously poor at penetrating stone..)

      4. CrazyOldCatMan Silver badge

        Re: Wifi calling on? Really?

        your house was build in the 16th century and has 3-foot thick walls

        My house was built in 1997, definately doesn't have 3-ft thick walls but I still have virtually no signal with most of the operators..

    2. DS999 Silver badge

      Re: Wifi calling on? Really?

      I have no problems with wifi calling. It was a bit sketch the first few months that Apple supported it (though whether it was Apple or AT&T to blame who knows) but it is has been rock solid since, including through a recent switch from AT&T to Verizon.

      I leave it on all the time regardless of how good/bad the cellular is where I happen to be. If you are having problems you should be blaming either your phone or your carrier. There is nothing wrong with wifi calling itself.

    3. Charlie Clark Silver badge
      Stop

      Re: Wifi calling on? Really?

      Or in an office with good windows which will have enough metal in them to make a reasonable Faraday cage.

    4. Anonymous Coward Silver badge
      Alien

      Re: Wifi calling on? Really?

      Perhaps your ISP is a bit rubbish? Or your provider's implementation.

      WiFi calling works very well for me, and I've used it in many different places including on free public wifi. Even verification SMS messages come through with no additional delay.

  4. Jemma

    Shitesung

    I knew there was a reason I didn't buy their stuff. Chipsets in my phones etc are Mediatek. Reliable, do the job, good battery life, not overpriced by 60%. I buy ulefone stuff, it just works for a sensible price, currently an Armor 8 and the next one will probably be an Armor 8 Pro. Surprised its taken so long to pick up this problem because WiFi calling has been kicking around for at least 4 years..

    Although that issue with WiFi calling and notification auto SMS might explain a problem I've been having with the No Hope Service sending me notifications about appointments after the appointment actually happened.. (3G3N breast cancer/BCC, Fibromyalgia among others.)

    1. Simian Surprise

      Re: Shitesung

      I had a great Samsung phone (A5, I think) some time ago, lasted for years until I smashed it. Unfortunately that convinced me to buy Samsung for my next two phones: one stopped reliably taking/receiving calls about 2 years in; the other died completely the week before its first birthday.

      I hadn't signed up for a phone protection plan, but seeing as that presumably would have gotten another of the same, I'm glad I didn't. Motorola makes some reasonably priced models.

      And as others have said, I get great signal (5G) at my house, enough to replace my cable with, even... in one room on the top floor. So WiFi calling is a must-have. Apparently I dodged yet another bullet.

    2. Charlie Clark Silver badge

      Re: Shitesung

      I had a device with a Mediatek in it: never got any OS updates. Mediatek is known for poor drivers and OS support.

    3. Dan 55 Silver badge

      Re: Shitesung

      Samsung is scientifically proven to write crappy software, but a fight between Exynos and Mediatek is like two bald men fighting over a comb.

    4. ske1fr

      Re: Shitesung

      Mediatek. Never again. Drove me mad with Bluetooth signsl loss and reconnecting all the time. Replaced that phone with one with Qualcomm and have never had that issue since, this with the same headphones and speakers, and the car. No Apt-X for Mediatek. As for Samsung (I never realised that was how you pronounced it...), had one, hated all the Samsung apps, never again. Your mileage may vary, I hope so.

  5. Arthur the cat Silver badge

    Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

    Some of us still haven't received that yet. [No, you can't have my phone number.]

    1. Steve Aubrey
      Go

      Re: Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

      If you have a supported Pixel phone, they are supposed to give it to you when you ask. Settings | System | System update | Check for update. Now I did hear that the 6/6a updates were running late, so, as always, YMMV.

      1. Arthur the cat Silver badge
        Unhappy

        Re: Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

        Settings | System | System update | Check for update

        Tried every few days for the last fortnight, still no joy.

        I did hear that the 6/6a updates were running late

        It's a 6.

        1. Arthur the cat Silver badge

          Re: Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

          And finally it's arrived. Only a fortnight or so later than usual.

    2. sanmigueelbeer
      Joke

      Re: Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

      Good mornin', dear Sir. My name is Ed and I am from Samsung Network Operations & Security Team.

      I am calling because we detected your mobile phone may have a virus. Before I continue, can I have your mobile phone number, please?

    3. phuzz Silver badge

      Re: Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

      None of the Pixel 6 devices (6a here) have received the March update yet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update.

        Yeah, they've delayed the Pixel 6 patch. Shame they disclosed the bug before they'd made the fixes available to everyone.

  6. An_Old_Dog Silver badge

    Frikkin' Network Operators

    I have a Samsung A13, I have the latest available software installed, and yet I can't turn off VoLTE because there is no UI option to do so. A friend also has an A13, a different network operator, and he does have the option to turn off VoLTE.

    1. Kevin McMurtrie Silver badge

      Re: Frikkin' Network Operators

      In many places it's VoLTE, VoNR, or nothing. Even if GSM was still around it wouldn't handle everyone trying to use it.

      I do wish there were more consumer protections for cellphones You pay $300 to $1500 and hope the manufacturer keeps it running as advertised for at least two years. Most don't care what happens after the 14 day return window. They'll even lie that a fix is coming to make your return window expire.

      1. Snapper

        Re: Frikkin' Network Operators

        I run a refurb iPhone 8 (2017) and my wife has the same. Before that i had an iPhone 6s for four years until I dropped it off a roof.

        My daughter changes her Samsung phone every couple of years because there is always something going wrong with it after that time.

        Some phones are better made and last longer than new shiny toys like Samsung.

        1. Kevin McMurtrie Silver badge

          Re: Frikkin' Network Operators

          There's plenty of news about Apple intentionally leaving in privacy and security violations too. I think Apple devices are rated highly because they're purchased as a generic appliance rather than a versatile compute and communication device. Nobody pays attention if Apple has bypassed VPN or is logging personal activities. It consistently satisfies limited expectations.

        2. Toe Knee

          Re: Frikkin' Network Operators

          Apple is guilty of many, many things, but their long term support of iPhones is not one of them. The official, published window for my handset is 2018-2025. Past experience with Apple suggests that they mean it.

          I think it’s safe to say that NONE of the players in the Android space are willing (or even able) to make that type of commitment.

    2. Dan 55 Silver badge

      Re: Frikkin' Network Operators

      Your operator is probably removing older networks so there's only VoLTE left and probably don't want to rename the option to "I want to be able to make voice calls".

  7. David Pearce

    I checked and found an unexpected security update for my A53G, the last only on 6th March, so maybe connected

  8. Kameleonic

    Apple

    I avoided buying an iPhone for years due to overpricing, in my opinion that is. Now I have one, and at times look for excuses to sell it and return to Android, but it seems all too often I see security issues like these and think, I’ll stay with my iPhone a little longer. I know Apple has security issues, but they patch things rapidly. Android means waiting on each individual manufacturer to act, and many act too slowly in comparison to Apple.

    1. Charlie Clark Silver badge

      Re: Apple

      I know Apple has security issues, but they patch things rapidly.

      While Apple might have fewer security issues than Android, they're patching speed is really poor. They just sit on the reports until after releasing the update. Where they do excel is getting people to install the latest versions, even if this means buying new versions of their apps.

      1. The Real SteveP

        Re: Apple

        "While Apple might have fewer security issues than Android, they're patching speed is really poor. They just sit on the reports until after releasing the update. Where they do excel is getting people to install the latest versions, even if this means buying new versions of their apps."

        Or even if it means buying new hardware because your current device can't install/run the update.

        1. doublelayer Silver badge

          Re: Apple

          Your attempt to put down Apple is showing your ignorance on the topic.

          "Or even if it means buying new hardware because your current device can't install/run the update."

          You're talking about Android, aren't you? Apple supports the latest operating system on most of their devices for about seven years. When an update is released, all those devices can install it on the first day. There is no delay. What if your device is too old to run it? They're also known to release security patches for the last supported operating system version as well. When the latest devices were running IOS 14 but some devices had been stuck on IOS 12, they released security patches for IOS 12. Those were also available at the same time. It's Android where there's doubt if a security patch will get to your hardware and how long it will take. By the time an iPhone doesn't get the feature updates anymore, security patches for an Android device released at the same time have stopped (unless you've installed a custom version that somehow manages to patch even though it was so hard for the manufacturers). That iPhone will get a few more years of security-only updates as well.

          I'm happy to complain about it when Apple does something bad like this. In fact, I'll do it right now: they do cut off their Macs' security and operating system updates too early and for no good technical reason. Had you been talking about Macs, we could have agreed and had a fun time trashing their artificial obsolescence record. However, that record is bad because I'm comparing Macs to Windows and Linux computers. I have to compare iPhones to Android, and the iPhone's security update situation is better than the best Android devices out there and almost incomparably better than the average.

  9. Anonymous Coward
    Anonymous Coward

    I work in Telco & hear that Samsung is advising that the most serious issues don't affect Samsung devices, only others that use the affected Exynos chips, like the Google Pixels.

    While I don't have the time and skills to attempt exploiting the vulnerabilities to confirm, I'd suggest it's probably true as Samsung wouldn't want to lose trust by falsely saying this.

  10. Silverburn

    May as well just turn off the entire device at this point. Jeez.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like