Riaan 
I-Samsung
I-Google inxusa abanikazi bamafoni athile e-Android ukuthi bathathe isinyathelo esiphuthumayo ukuze bazivikele ezingozini ezibalulekile ezinikeza izigebengu ze-inthanethi ikhono lokufaka engozini ngokuyimfihlo amadivayisi abo ngokwenza ikholi eklanywe ngokukhethekile enombolweni yabo. Akukacaci ukuthi ngabe zonke izenzo ezinxuswayo zingenzeka yini, noma kunjalo, futhi noma zingenzeka, izinyathelo zizosebenzisa amandla amaningi okushaya ngezwi.
Ukuba sengozini kuthinta amadivayisi e-Android asebenzisa i-Exynos chipset eyenziwe yi-Samsung’s semiconductor division. Amadivayisi asengozini ahlanganisa i-Pixel 6 ne-7, izinguqulo zamazwe ngamazwe ze-Samsung Galaxy S22, amafoni ahlukahlukene e-Samsung yebanga elimaphakathi, i-Galaxy Watch 4 ne-5, nezimoto ezine-chip ye-Exynos Auto T5123. Lawa madivayisi asengozini KUPHELA uma esebenzisa i-chipset ye-Exynos, ehlanganisa i-baseband ecubungula amasiginali wamakholi wezwi. Inguqulo yase-US ye-Galaxy S22 isebenzisa i-chip ye-Qualcomm Snapdragon.
Isiphazamisi esilandelelwa njenge-CVE-2023-24033 kanye nezinye ezintathu ezingakatholi igama le-CVE zenza kube nokwenzeka ngabageli basebenzise ikhodi enonya, ithimba le-Google le-Project Zero elisengozini kubika ngoLwesine. Iziphazamisi zokwenza ikhodi ku-baseband zingabaluleka ikakhulukazi ngoba ama-chips anikezwe amalungelo esistimu yezinga lezimpande ukuqinisekisa ukuthi izingcingo zezwi zisebenza ngokuthembekile.
“Ukuhlola okwenziwa yi-Project Zero kuqinisekisa ukuthi lokho kuba sengozini okune kuvumela umhlaseli ukuthi afake ebucayini ifoni ezingeni le-baseband ngaphandle kokusebenzisana nabasebenzisi, futhi kudinga kuphela ukuthi umhlaseli azi inombolo yocingo yesisulu,” kubhala u-Tim Willis we-Project Zero. “Ngocwaningo olwengeziwe nokuthuthukiswa okulinganiselwe, sikholelwa ukuthi abahlaseli abanamakhono bazokwazi ukudala ukuxhashazwa kokusebenza ukuze babeke engcupheni amadivayisi athintekile buthule futhi bekude.”
Ngasekuqaleni kwale nyanga, iGoogle ikhiphe isichibi samamodeli ePixel asengozini. AbakwaSamsung bakhiphe isibuyekezo sokuchibiyela i-CVE-2023-24033, kodwa senzile engakalethwa ukuqeda abasebenzisi. Akukho okukhombisa ukuthi i-Samsung ikhiphe ama-patches obunye ubungozi obuthathu obubalulekile. Kuze kube yilapho amadivayisi asengozini enamathiselwe, ahlala esengozini yokuhlaselwa okunikeza ukufinyelela ezingeni elijule kakhulu ngangokunokwenzeka.
Ukusongelwa kwenze uWillis wabeka lesi seluleko phezulu kwangoLwesine:
Kuze kube yilapho kutholakala izibuyekezo zokuphepha, abasebenzisi abafisa ukuzivikela ebungozini bokusebenzisa ikhodi yesilawuli kude se-baseband kuma-chipset e-Samsung’s Exynos bangavala ukushaya kwe-Wi-Fi kanye ne-Voice-over-LTE (VoLTE) kuzilungiselelo zabo zedivayisi. Ukuvala lezi zilungiselelo kuzosusa ubungozi bokuxhashazwa balobu bungozi.
Inkinga iwukuthi, akucaci ngokuphelele ukuthi kungenzeka ukucisha i-VoLTE, okungenani kumamodeli amaningi. Isithombe-skrini somsebenzisi oyedwa we-S22 ithunyelwe ku-Reddit ngonyaka odlule kubonisa ukuthi inketho yokuvala i-VoLTE impunga. Ngenkathi i-S22 yalowo msebenzisi ibisebenzisa i-Snapdragon chip, ulwazi lwabasebenzisi bamafoni asekelwe e-Exynos kungenzeka lufane.
Futhi ngisho noma kungenzeka ukucisha i-VoLTE, ukwenza kanjalo ngokuhambisana nokuvala i-Wi-Fi kungase kuguqule amafoni abe amathebulethi amancanyana asebenzisa i-Android. I-VoLTE yaqala ukusetshenziswa kabanzi eminyakeni embalwa edlule, futhi kusukela lapho abathwali abaningi eNyakatho Melika bayekile ukusekela amaza amadala e-3G kanye ne-2G.
Abamele abakwaSamsung bathe ku-imeyili inkampani ngoMashi ikhiphe iziqephu zokuphepha zobungozi obuhlanu kwayisithupha “okungahle kube nomthelela kumadivayisi akhethiwe we-Galaxy” futhi izolungisa iphutha lesithupha ngenyanga ezayo. I-imeyili ayizange iphendule imibuzo ebuza ukuthi ingabe noma imaphi amapeshi atholakalayo kubasebenzisi bokugcina manje noma ukuthi kungenzeka yini ukuvala i-VoLTE.
Omele i-Google, ngakolunye uhlangothi, unqabile ukuhlinzeka ngezinyathelo ezithile zokwenza iseluleko ekubhalweni kwe-Project Zero. Abafundi abathola indlela bayamenywa ukuthi bachaze inqubo (ngezithombe-skrini, uma kungenzeka) esigabeni sokuphawula.
Ngenxa yobunzima bezimbungulu kanye nokuxhashazwa kalula ngabaduni abanekhono, okuthunyelwe kwangoLwesine kuye kwashiya imininingwane yobuchwepheshe. Kuyo ikhasi lokubuyekeza ukuvikeleka komkhiqizoAbakwaSamsung bachaze i-CVE-2023-24033 “njengenkohlakalo yenkumbulo lapho icubungula uhlobo lokwamukela isibaluli se-SDP.”
“Isofthiwe ye-baseband ayizihloli kahle izinhlobo zefomethi yesibaluli sohlobo lokwamukela olucaciswe yi-SDP, okungaholela ekunqatshelweni kwesevisi noma ekusetshenzisweni kwekhodi kuModemu ye-Samsung Baseband,” kwengeza iseluleko. “Abasebenzisi bangakhubaza ukushaya kwe-WiFi kanye ne-VoLTE ukuze banciphise umthelela walokhu kuba sengcupheni.”
Ifushane ngesendlalelo se-Service Discovery Protocol, i-SDP ivumela ukutholwa kwezinsizakalo ezitholakala kwamanye amadivayisi nge-Bluetooth. Ngaphandle kokutholwa, i-SDP ivumela izinhlelo zokusebenza ukunquma izici zobuchwepheshe zalezo zinsizakalo. I-SDP isebenzisa imodeli yesicelo/yempendulo yamadivayisi ukuxhumana.
Usongo lubucayi, kodwa futhi, lusebenza kuphela kubantu abasebenzisa inguqulo ye-Exynos yeyodwa yamamodeli athintekile. Futhi futhi, iGoogle ikhiphe isichibi ekuqaleni kwale nyanga kubasebenzisi bePixel.
Kuze kube i-Samsung noma i-Google isho okwengeziwe, abasebenzisi bamadivayisi ahlala esengozini kufanele (1) bafake zonke izibuyekezo ezitholakalayo zokuphepha beqaphe ngeso elibukhali i-CVE-2023-24033 eyodwa, (2) bavale ukushaya kwe-Wi-Fi, futhi (3) hlola imenyu yezilungiselelo zemodeli yazo ethile ukuze ubone ukuthi kungenzeka yini ukucisha i-VoLTE. Lokhu okuthunyelwe kuzobuyekezwa uma enye inkampani iphendula ngolwazi oluwusizo kakhulu.
