Google Patches Two Zero-Day Vulnerabilities in Pixel Phones Exploited by Forensic Firms

April 3, 2024

Google has rectified two zero-day vulnerabilities in its Pixel smartphones that were being exploited by forensic companies to unlock phones and access their data. Unlike other Android devices, Pixels undergo separate updates due to their exclusive hardware platform and features, which are under Google's direct control. The April 2024 security bulletin for Android didn't mention anything severe, but the corresponding bulletin for Pixel devices disclosed the active exploitation of two vulnerabilities, CVE-2024-29745 and CVE-2024-29748. Google warned that these vulnerabilities might be under limited, targeted exploitation.

The CVE-2024-29745 flaw is a high-severity information disclosure vulnerability in the Pixel's bootloader, while CVE-2024-29748 is a high-severity privilege elevation bug in the Pixel firmware. These vulnerabilities were discovered by security researchers from GrapheneOS, a privacy and security-focused Android distribution. The researchers found that forensic companies were actively exploiting these flaws to unlock and access memory on Google Pixel devices they had physically acquired.

GrapheneOS had discovered and reported these flaws a few months earlier, publicly sharing some information while withholding specifics to prevent widespread exploitation in the absence of a patch. They explained that 'CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking.' Forensic companies were exploiting these vulnerabilities to reboot devices in 'After First Unlock' state into fastboot mode on Pixels and other devices, and then dump memory.

Google addressed this issue by zeroing the memory during the booting of fastboot mode and only enabling USB connectivity after the zeroing process was completed, making the attacks impractical. As for CVE-2024-29748, GrapheneOS stated that the flaw allows local attackers to bypass factory resets initiated by apps using the device admin API, rendering such resets insecure. They also noted that Google's fix for this vulnerability is only partial and potentially insufficient, as it's still possible to halt the wipe by cutting power to the device.

GrapheneOS is currently developing a more robust implementation of a duress PIN/password and a secure 'panic wipe' action that won't require a reboot. The April 2024 security update for Pixel phones addresses 24 vulnerabilities, including a critical severity privilege elevation flaw, CVE-2024-29740. Pixel users can apply the update by navigating to Settings > Security & privacy > System & updates > Security update, and tapping install. A restart will be necessary to finalize the update.

Latest News

• Binarly Introduces Free Online Scanner to Detect Linux Backdoor
• Malicious Code in XZ Utils for Linux Enables Remote Code Execution
• Intricate Supply Chain Attack Implants Backdoor in XZ Utils
• Backdoor Detected in XZ Utils: Who is at Risk?
• TeamCity Patches 26 Security Flaws, Implements Semi-Automatic Updates