Google fixes two Pixel zero-day flaws exploited by forensics firms

Google recently patched two zero-day vulnerabilities in their Pixel phones that were exploited by forensic companies to bypass PIN locks and access data on the devices.

Although Pixel devices operate on Android, they receive their own updates, separate from the standard monthly patches distributed to other Android device manufacturers. This is due to their unique hardware platform, which is directly managed by Google, and their exclusive features.

While the April 2024 Android security bulletin didn’t highlight anything critical, the Pixel-specific bulletin released the same month revealed that two vulnerabilities, CVE-2024-29745 and CVE-2024-29748, were being actively exploited.

“There are indications that the following may be under limited, targeted exploitation,” Google noted.

CVE-2024-29745 is a high-severity information disclosure vulnerability affecting the bootloader in Pixel devices, while CVE-2024-29748 is classified as a high-severity elevation of privilege issue within the Pixel firmware.

Security researchers from GrapheneOS, an Android distribution focused on privacy and security, disclosed on X that they had identified forensic companies taking advantage of these flaws.

These vulnerabilities allow companies with physical access to Pixel devices to unlock them and access their memory.

GrapheneOS discovered and reported these issues months earlier, releasing some general details to the public while keeping the technical specifics under wraps to avoid mass exploitation before a fix was available.

“CVE-2024-29745 relates to a vulnerability in the fastboot firmware that supports unlocking, flashing, and locking the device,” GrapheneOS explained in a series of posts on X.

“Forensic firms are rebooting devices in the ‘After First Unlock’ state into fastboot mode on Pixels and other devices to exploit the vulnerabilities there and then dump memory.”

Google addressed this by wiping the memory during the boot process into fastboot mode, only enabling USB connectivity once that wipe is complete, which makes the attack unfeasible.

As for CVE-2024-29748, GrapheneOS pointed out that it allows local attackers to bypass factory resets initiated through the device admin API, which compromises the security of such resets.

GrapheneOS told BleepingComputer that Google’s current fix for this vulnerability is incomplete and might be insufficient, as it remains possible to halt the reset process by cutting the power to the device.

GrapheneOS is working on a more robust solution involving a duress PIN/password and a secure “panic wipe” function that won’t need a device reboot.

The April 2024 security update for Pixel phones includes patches for 24 vulnerabilities, among them CVE-2024-29740, a critical elevation of privilege issue.

Pixel users can install the update by navigating to Settings > Security & privacy > System & updates > Security update and tapping install. A restart is required to finalize the update.

About The Author