Pixel 6 modem critical exploit - Google advises users to disable 2G on their phones

published: Aug. 11, 2023

Take action: If you have a Google Pixel 6 phone and it's not regularly updated with latest Android versions, please disable 2G networks. Nobody uses them, and it can be a vector of attack. Or just update your phone operating system, that's an option - right?

Learn More

At the Black Hat event in Las Vegas, Google's Android Red Team provided detailed information about a critical vulnerability that was discovered in the Pixel 6 modem stack. This vulnerability, which has since been patched, allowed skilled attackers to exploit a 0-click vulnerability in the modem stack of Pixel 6 devices. By initiating a call to the target's Android phone, an attacker could gain control over the handset.

During the presentation, members of Google's Android Red Team demonstrated how two separate vulnerabilities in the Pixel modem (CVE-2022-20170 and CVE-2022-20405) could be combined to carry out an attack. The process involved downgrading the targeted Pixel's cellular modem communication to the outdated 2G wireless standard, using a homemade cellphone base station that cost around $1,000. This allowed the attackers to take control of the handset.

Both of these vulnerabilities were initially discovered in 2021. Subsequently, both vulnerabilities were rated as critical with a Common Vulnerability Scoring System (CVSS) score of 9.8.

  • CVE-2022-20170, was an over-the-air remote code execution flaw that was patched in June 2022.
  • CVE-2022-20405, was an elevation of privilege flaw that was patched in August 2022. Notably, the second vulnerability was initially considered to have moderate severity.

Exploiting these vulnerabilities successfully allowed attackers to remotely execute code wirelessly, operating within the privileged context of the Pixel modem. This opened up possibilities for various attacks on the compromised handset, including denial of service (DoS) attacks, SMS/text message sniffing and spoofing, compromising multi-factor authentication (MFA), and potentially gaining access to the device's core operating system kernel.

Google states that there is no evidence of these vulnerabilities being exploited in the wild. The delay in sharing the technical details of these vulnerabilities was attributed to internal procedures within Alphabet, Google's parent company.

The attack demonstrated by the Google Red Team was made possible through the CVE-2022-20170 due to an out-of-band (OOB) write error in the 2G signal processing of the Pixel 6 modem. This error occurred while decoding over-the-air (OTA) packets from 2G GSM communication. The second vulnerability, CVE-2022-20405, involved a misconfiguration in the Pixel 6 modem's code, which granted significant memory space permissions (read, write, execute) to most of the memory space, allowing the attacker to execute malicious shellcode.

Pixel 6 modem critical exploit - Google advises users to disable 2G on their phones