Pixel Phones Vulnerable: Zero-Day Flaws Exploited

Google has addressed two critical zero-day vulnerabilities in its Pixel smartphones, which allowed forensic firms to unlock user phones without a PIN code and access stored data.

The Pixel Security Bulletin for April 2024 revealed the active exploitation of two vulnerabilities, identified as CVE-2024-29745 and CVE-2024-29748. The former is described as an information disclosure vulnerability in the bootloader, and the latter as a privilege escalation vulnerability. Both are marked with a “high” severity level, although a precise CVSS score has not yet been provided.

The GrapheneOS team, specialists in developing a security-focused Android distribution of the same name, reported that these vulnerabilities were actively exploited by forensic companies as zero-days for unlocking suspects’ devices. The vulnerabilities allowed such companies to unlock and access the memory of Pixel devices to which they had physical access.

GrapheneOS first discovered these vulnerabilities and reported them to Google several months ago, publishing some information earlier but withholding full details until a fix was available to prevent widespread exploitation.

Examining the practical exploitation of the vulnerabilities, it’s noted that for CVE-2024-29745 to be exploited, the device must have been unlocked at least once after booting so that the necessary cryptographic keys are loaded into fast access memory. The smartphone can then be rebooted into fastboot mode, allowing for an unobstructed memory dump to be extracted via USB.

The exploitation of CVE-2024-29748 involves interrupting the device reset process to factory settings, initiated by third-party applications with administrative access. For example, if a device owner had previously installed a specialized program allowing for the device to be remotely reset with highly sensitive information via a schedule or timer, the vulnerability could interrupt this process and then gain access to confidential data.

Google’s fixes involve wiping memory when entering fastboot mode and activating USB connectivity only after the factory reset process is complete, rendering such attacks impractical.

However, despite the vulnerabilities being patched, the GrapheneOS team believes the fix for CVE-2024-29748 to be incomplete, as the device can still be forcibly shut down during the settings reset process, thereby interrupting it and allowing for potential further compromise.

Nonetheless, all Pixel device owners are advised to install the April security update, as it addresses these two issues along with 22 other vulnerabilities, including CVE-2024-29740, which is rated as critical. The full list of fixes can be found in the aforementioned Pixel Security Bulletin.