Google has disclosed that two serious security flaws affecting its Pixel smartphones have been exploited by forensic companies. These vulnerabilities include an information disclosure flaw in the bootloader component (CVE-2024-29745) and a privilege escalation flaw in the firmware component (CVE-2024-29748). Google issued a warning on April 2, 2024, stating that these vulnerabilities might be targeted in limited attacks.
Although Google didn’t provide detailed information about the attacks, GrapheneOS, a security-focused mobile OS, revealed that these flaws are actively exploited by forensic companies. One of the vulnerabilities (CVE-2024-29745) affects the fastboot firmware, which is used for device unlocking, flashing, and locking. Forensic companies are reportedly exploiting this flaw by rebooting devices into fastboot mode to extract memory data.
The second vulnerability (CVE-2024-29748) could potentially allow local attackers to disrupt a factory reset initiated through the device admin API. This disclosure follows earlier reports by the GrapheneOS team, highlighting similar firmware vulnerabilities exploited by forensic companies to spy on users.
GrapheneOS has called on Google to implement an auto-reboot feature to mitigate the exploitation of firmware flaws. This development underscores the ongoing challenges in securing mobile devices against sophisticated attacks.
