Google has fixed two Google Pixel zero-days exploited by forensic firms to unlock phones without a PIN and gain access to the data stored within them.
Although Pixels run Android, they receive separate updates from the standard monthly patches distributed to all Android device OEMs. This is due to their unique hardware platform, over which Google has direct control, and the exclusive features and capabilities.
While the April 2024 security bulletin for Android didn’t contain anything severe, the corresponding April 2024 bulletin for Pixel devices disclosed active exploitation of two vulnerabilities tracked as CVE-2024-29745 and CVE-2024-29748 flaws.
“There are indications that the following may be under limited, targeted exploitation,” warned Google.
CVE-2024-29745 is marked as a high-severity information disclosure flaw in the Pixel’s bootloader, while CVE-2024-29748 is described as a high-severity elevation of privilege bug in the Pixel firmware.
Security researchers for GrapheneOS, a privacy-enhanced and security-focused Android distribution, disclosed on X that they discovered forensic companies actively exploited the flaws.
The flaws allow companies to unlock and access memory on Google Pixel devices, which they have physical access to.
GrapheneOS discovered and reported these flaws a few months back, sharing some information publicly but keeping the specifics undisclosed to avoid fueling widespread exploitation when a patch wasn’t available yet.
“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” explained GrapheneOS via a thread on X.
“Forensic companies are rebooting devices in ‘After First Unlock’ state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”
Google implemented a fix by zeroing the memory when booting fastboot mode, and only enabling USB connectivity after the zeroing process is completed, rendering the attacks impractical.
In the case of CVE-2024-29748, GrapheneOS says the flaw allows local attackers to circumvent factory resets initiated by apps using the device admin API, making such resets insecure.
GrapheneOS told BleepingComputer that Google’s fix for this vulnerability is partial and potentially inadequate, as it’s still possible to stop the wipe by cutting power to the device.
GrapheneOS says it is working on a more robust implementation of a duress PIN/password and a secure ‘panic wipe’ action that won’t require a reboot.
The April 2024 security update for Pixel phones fixes 24 vulnerabilities, including CVE-2024-29740, a critical severity elevation of privilege flaw.
To apply the update, Pixel users can navigate to Settings > Security & privacy > System & updates > Security update, and tap install. A restart will be required to complete the update.
