April 3, 2024 at 12:57PM
Google disclosed two Android security flaws, CVE-2024-29745 and CVE-2024-29748, exploited by forensic companies on Pixel smartphones. These vulnerabilities include information disclosure in the bootloader and privilege escalation in firmware. GrapheneOS confirmed the active exploitation of these flaws and urged Google to introduce measures against firmware vulnerabilities. (Words: 50)
Key takeaways from the meeting notes on mobile security and zero-day vulnerabilities:
1. Google has disclosed two high-severity zero-day vulnerabilities, CVE-2024-29745 and CVE-2024-29748, impacting its Pixel smartphones.
2. These vulnerabilities have been exploited in the wild by forensic companies, with indications of limited, targeted exploitation.
3. The vulnerabilities involve an information disclosure flaw in the bootloader component and a privilege escalation flaw in the firmware component.
4. GrapheneOS has highlighted that the vulnerabilities are actively exploited by forensic companies to steal data and spy on users, particularly using fastboot mode on Pixels and other devices.
5. The disclosure comes after previous revelations about firmware vulnerabilities being exploited by forensic companies to spy on users.
6. The recommendation has been made for Google to introduce an auto-reboot feature to mitigate the exploitation of firmware flaws.
This article provides valuable insights into the current state of mobile security and underscores the importance of addressing zero-day vulnerabilities in smartphone firmware.