Google has fixed two Google Pixel zero-days exploited by forensic firms to unlock phones without a PIN and gain access to the data stored within them.
Although Pixels run Android, they receive separate updates from the standard monthly patches distributed to all Android device OEMs. This is due to their unique hardware platform, over which Google has direct control, and the exclusive features and capabilities.
While the April 2024 security bulletin for Android didn't contain anything severe, the corresponding April 2024 bulletin for Pixel devices disclosed active exploitation of two vulnerabilities tracked as CVE-2024-29745 and CVE-2024-29748 flaws.
"There are indications that the following may be under limited, targeted exploitation," warned Google.
CVE-2024-29745 is marked as a high-severity information disclosure flaw in the Pixel's bootloader, while CVE-2024-29748 is described as a high-severity elevation of privilege bug in the Pixel firmware.
Security researchers for GrapheneOS, a privacy-enhanced and security-focused Android distribution, disclosed on X that they discovered forensic companies actively exploited the flaws.
The flaws allow companies to unlock and access memory on Google Pixel devices, which they have physical access to.
GrapheneOS discovered and reported these flaws a few months back, sharing some information publicly but keeping the specifics undisclosed to avoid fueling widespread exploitation when a patch wasn't available yet.
"CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," explained GrapheneOS via a thread on X.
"Forensic companies are rebooting devices in 'After First Unlock' state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory."
Google implemented a fix by zeroing the memory when booting fastboot mode, and only enabling USB connectivity after the zeroing process is completed, rendering the attacks impractical.
In the case of CVE-2024-29748, GrapheneOS says the flaw allows local attackers to circumvent factory resets initiated by apps using the device admin API, making such resets insecure.
GrapheneOS told BleepingComputer that Google's fix for this vulnerability is partial and potentially inadequate, as it's still possible to stop the wipe by cutting power to the device.
GrapheneOS says it is working on a more robust implementation of a duress PIN/password and a secure 'panic wipe' action that won't require a reboot.
The April 2024 security update for Pixel phones fixes 24 vulnerabilities, including CVE-2024-29740, a critical severity elevation of privilege flaw.
To apply the update, Pixel users can navigate to Settings > Security & privacy > System & updates > Security update, and tap install. A restart will be required to complete the update.
Comments
tverweij - 2 months ago
With this, Google is protecting the guilty ...
NoneRain - 2 months ago
That's not even an argument.
U_Swimf - 2 months ago
they have reboot rollback protection so dont worry. Nobody get's special treatment. Law enforcement can restore a complete device wipe as can emergency service providers in the USA..
Atleast it appears that way by the file names and deductive reasoning.
h_b_s - 2 months ago
A few things to note:
Your comment is trollish, but I'll clear up some misconceptions for other people more likely to use their head:
Bugs that can be exploited by forensics teams can just as easily be exploited by criminals against anyone.
There's a reason why the US criminal justice system works on a adversarial "innocent till proven guilty" concept. Long story short, it helps minimize to some degree the corruption of a justice system being leveraged to reinforce the prejudices and political agendas of those in power. That's the premise, of course. The system is far from perfect. Therefore, this is protecting the general populace much more than the superficial appearance of protecting the guilty.
LEO have a lot more tools at their disposal than device based forensics. There's rarely more than circumstantial evidence on a person's phone. They just have a tendency to become tunnel visioned when they're being denied one avenue of investigation rather than using their heads. The fact is the LEO arguments about being unable to get into locked devices is less about catching criminals than it is wholesale surveillance at whim instead of bowing to due process, something the 4th amendment to the US Constitution is supposed to prevent. Fixing software bugs is just a technological means of curtailing government overreach.
NoneRain - 2 months ago
I bet Google's team where not particularly happy that GrapheneOS discovered these ones.
U_Swimf - 2 months ago
What makes you think they work as opposing teams?
Fastboot devices are virtually so few being used. Why is having it on even necessary? It's as if the devices arent actuallly rebooting,otherwise how else could it be so fast