Father
Professional
- Messages
- 2,602
- Reaction score
- 760
- Points
- 113
Vulnerabilities CVE-2024-29745 and CVE-2024-29748 were actively exploited by digital forensics.
Google fixed two critical zero-day vulnerabilities in its Pixel smartphones that allowed companies specializing in forensic analysis to unlock users ' phones without using a PIN code and gain access to the data stored on them.
The April 2024 Pixel Security Bulletin revealed the active use of two vulnerabilities identified as CVE-2024-29745 and CVE-2024-29748. The first is described as an information disclosure vulnerability in the bootloader, and the second is described as an elevation of privileges vulnerability. The criticality of both is marked as "high", but an accurate CVSS rating has not yet been provided.
Specialists from the GrapheneOS team, who specialize in creating an Android distribution of the same name with an emphasis on security, reported that these vulnerabilities were actively exploited by companies specializing in forensic analysis (digital forensics) in the form of zero-day, to unlock suspects devices. The vulnerabilities allowed such companies to unlock and gain access to the memory of Pixel devices to which they had physical access.
The GrapheneOS team first discovered these vulnerabilities and reported them to Google a few months ago, releasing some of the information earlier, but not disclosing all the details until a fix was available to avoid widespread exploitation.
If we consider the practical implementation of vulnerabilities, it is worth noting that to exploit CVE-2024-29745, the device must be unlocked at least once after launch, so that the necessary cryptographic keys are stored in the quick access memory. After that, the smartphone can be restarted in fastboot mode, easily dump the memory and unload it via USB.
The application of CVE-2024-29748 involves the process of interrupting the device reset to factory settings initiated by third-party applications with administrative access. For example, if the owner of the gadget had previously installed a specialized program that allows you to reset the device with highly sensitive information remotely, according to a script or timer, the vulnerability allowed you to interrupt this process, and then gain access to confidential data.
Google's fixes provide for zeroing out memory when switching to fastboot mode and activating the USB connection only after the factory reset process is completed, which makes such attacks impractical.
However, despite the fact that the vulnerabilities were fixed, the GrapheneOS team itself believes that the fix turned out to be incomplete, since, in the case of CVE-2024-29748, the device can still be forcibly turned off during a factory reset, thereby interrupting this process and getting the opportunity for further compromise.
However, all owners of Pixel devices are advised to install the April security update, as in addition to these two issues, 22 other vulnerabilities were fixed there, including CVE-2024-29740 with a critical severity. A full list of fixes can be found in the aforementioned Pixel Security Bulletin.
To manually install the update, Pixel users can go to system Preferences, go to "Security and Privacy" > "System and Updates" > "Security Update" and click on install. A reboot will be required to complete the update.
Google fixed two critical zero-day vulnerabilities in its Pixel smartphones that allowed companies specializing in forensic analysis to unlock users ' phones without using a PIN code and gain access to the data stored on them.
The April 2024 Pixel Security Bulletin revealed the active use of two vulnerabilities identified as CVE-2024-29745 and CVE-2024-29748. The first is described as an information disclosure vulnerability in the bootloader, and the second is described as an elevation of privileges vulnerability. The criticality of both is marked as "high", but an accurate CVSS rating has not yet been provided.
Specialists from the GrapheneOS team, who specialize in creating an Android distribution of the same name with an emphasis on security, reported that these vulnerabilities were actively exploited by companies specializing in forensic analysis (digital forensics) in the form of zero-day, to unlock suspects devices. The vulnerabilities allowed such companies to unlock and gain access to the memory of Pixel devices to which they had physical access.
The GrapheneOS team first discovered these vulnerabilities and reported them to Google a few months ago, releasing some of the information earlier, but not disclosing all the details until a fix was available to avoid widespread exploitation.
If we consider the practical implementation of vulnerabilities, it is worth noting that to exploit CVE-2024-29745, the device must be unlocked at least once after launch, so that the necessary cryptographic keys are stored in the quick access memory. After that, the smartphone can be restarted in fastboot mode, easily dump the memory and unload it via USB.
The application of CVE-2024-29748 involves the process of interrupting the device reset to factory settings initiated by third-party applications with administrative access. For example, if the owner of the gadget had previously installed a specialized program that allows you to reset the device with highly sensitive information remotely, according to a script or timer, the vulnerability allowed you to interrupt this process, and then gain access to confidential data.
Google's fixes provide for zeroing out memory when switching to fastboot mode and activating the USB connection only after the factory reset process is completed, which makes such attacks impractical.
However, despite the fact that the vulnerabilities were fixed, the GrapheneOS team itself believes that the fix turned out to be incomplete, since, in the case of CVE-2024-29748, the device can still be forcibly turned off during a factory reset, thereby interrupting this process and getting the opportunity for further compromise.
However, all owners of Pixel devices are advised to install the April security update, as in addition to these two issues, 22 other vulnerabilities were fixed there, including CVE-2024-29740 with a critical severity. A full list of fixes can be found in the aforementioned Pixel Security Bulletin.
To manually install the update, Pixel users can go to system Preferences, go to "Security and Privacy" > "System and Updates" > "Security Update" and click on install. A reboot will be required to complete the update.
