The two zero-day vulnerabilities patched by Google in its Pixel phones with the April 2024 security update are being actively exploited by forensic firms to obtain data from devices, the privacy and security-focused mobile platform GrapheneOS says.
The flaws, tracked as CVE-2024-29745 and CVE-2024-29748, were identified in Pixel’s bootloader and firmware, but Google shared no additional details, other than that they “may be under limited, targeted exploitation”.
According to GrapheneOS, which develops an Android-based operating system for Pixel devices, CVE-2024-29745 was identified in Pixel’s fastboot firmware that supports unlocking/flashing/locking operations.
“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory,” GrapheneOS said on X.
“We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks,” it added.
The second issue, CVE-2024-29748, allows local attackers to interrupt factory resets triggered by applications via the device admin API.
“We weren’t sure if they would even consider this to be a valid vulnerability but it was accepted as a high severity issue with a $5,000 bounty,” GrapheneOS said last week.
The patch provided by Google, however, is only a partial fix, GrapheneOS claims. Proposed mitigations include wipe-without-reboot functionality and blocking USB connections, except for charging, if they are not made with the device unlocked.
Furthermore, GrapheneOS proposes a duress PIN/password feature triggering the wipe-without-reboot functionality, as well as auto-reboots that prevent the exploitation of firmware vulnerabilities.
“All of our defenses against obtaining data from After First Unlock state devices are centered around auto-reboot. Our goal is preventing exploitation long enough for the device to cleanly reboot and get the data back at rest as if it had been obtained while it was powered off,” GrapheneOS explains.
‘At rest’ devices are either turned off or have not been unlocked after boot up, meaning that installed applications do not have access to encryption keys and users’ data is protected. The idea behind GrapheneOS’s approach is to reactivate all these protection mechanisms by rebooting the device.
SecurityWeek has emailed Google for a statement and will update the article as soon as a reply arrives.
Related: Google Patches Exploited Pixel Vulnerabilities
Related: CISA Warns of Pixel Phone Vulnerability Exploitation
Related: Google Announces Enhanced Fraud Protection for Android
