Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Pixel Phone Zero-Days Exploited by Forensic Firms

Google this week patched two Pixel phone zero-day vulnerabilities actively exploited by forensic companies to obtain data from devices.

Android patches

The two zero-day vulnerabilities patched by Google in its Pixel phones with the April 2024 security update are being actively exploited by forensic firms to obtain data from devices, the privacy and security-focused mobile platform GrapheneOS says.

The flaws, tracked as CVE-2024-29745 and CVE-2024-29748, were identified in Pixel’s bootloader and firmware, but Google shared no additional details, other than that they “may be under limited, targeted exploitation”.

According to GrapheneOS, which develops an Android-based operating system for Pixel devices, CVE-2024-29745 was identified in Pixel’s fastboot firmware that supports unlocking/flashing/locking operations.

“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory,” GrapheneOS said on X.

“We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks,” it added.

The second issue, CVE-2024-29748, allows local attackers to interrupt factory resets triggered by applications via the device admin API.

“We weren’t sure if they would even consider this to be a valid vulnerability but it was accepted as a high severity issue with a $5,000 bounty,” GrapheneOS said last week.

The patch provided by Google, however, is only a partial fix, GrapheneOS claims. Proposed mitigations include wipe-without-reboot functionality and blocking USB connections, except for charging, if they are not made with the device unlocked.

Advertisement. Scroll to continue reading.

Furthermore, GrapheneOS proposes a duress PIN/password feature triggering the wipe-without-reboot functionality, as well as auto-reboots that prevent the exploitation of firmware vulnerabilities.

“All of our defenses against obtaining data from After First Unlock state devices are centered around auto-reboot. Our goal is preventing exploitation long enough for the device to cleanly reboot and get the data back at rest as if it had been obtained while it was powered off,” GrapheneOS explains.

‘At rest’ devices are either turned off or have not been unlocked after boot up, meaning that installed applications do not have access to encryption keys and users’ data is protected. The idea behind GrapheneOS’s approach is to reactivate all these protection mechanisms by rebooting the device.

SecurityWeek has emailed Google for a statement and will update the article as soon as a reply arrives.

Related: Google Patches Exploited Pixel Vulnerabilities

Related: CISA Warns of Pixel Phone Vulnerability Exploitation

Related: Google Announces Enhanced Fraud Protection for Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.