Google’s security research unit is sounding the alarm on a set of vulnerabilities it discovered in certain Samsung chips that are included in dozens of Android models, wearables, and vehicles. The company is concerned that the flaws could be quickly discovered and exploited, so it is urging users to take action to protect themselves.

Tim Willis, the head of Google’s Project Zero, stated that Samsung’s in-house security researchers discovered and reported 18 zero-day vulnerabilities in Exynos modems over the course of the past few months. Among these vulnerabilities were four of the highest severity, which had the potential to compromise affected devices “silently and remotely” over the cellular network.

Willis stated, “Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without the need for user interaction and only require the attacker to know the victim’s phone number.”

An attacker would be able to gain nearly unrestricted access to the data flowing in and out of an affected device, including cellular calls, text messages, and cell data, without alerting the victim if they were able to gain the ability to remotely run code at the baseband level of the device. This is, in essence, the Exynos modems that convert cell signals into digital data.

When it comes to disclosures, Google—or any security research firm—rarely raises the alarm on vulnerabilities of a high severity before they are patched. Google stated that skilled attackers “would be able to quickly create an operational exploit” with limited research and effort, highlighting the public risk.

Maddie Stone, a researcher for Project Zero, posted on Twitter that Samsung had 90 days to fix the bugs but hasn’t done so yet.

In a March 2023 security listing, Samsung confirmed that a number of Exynos modems are vulnerable, affecting a number of Android device manufacturers, but provided few additional details.

Project Zero says that affected gadgets include nearly a dozen Samsung, Vivo, and Google Pixel 6 and Pixel 7 phones. Wearables and automobiles that use Exynos chips to connect to the cellular network are also affected.

The following devices are included on the affected list:

The S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series of Samsung mobile devices;

Mobile phones made by Vivo, such as the S16, S15, S6, X70, X60, and X30 series;

The Pixel 6 and Pixel 7 series by Google;

Google said that patches for connected vehicles that use the Exynos Auto T5123 chipset will vary from manufacturer to manufacturer. However, the company noted that Pixel devices already have the March security updates installed.

Google stated that users who wish to protect themselves can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities” until affected manufacturers distribute software updates to their customers.

Google said the excess 14 weaknesses were less serious since they required either admittance to a gadget or have insider or restricted admittance to a cell transporter’s frameworks.