April 3, 2024 at 10:52AM
Google has fixed two zero-day vulnerabilities in Google Pixel devices that were exploited by forensic companies to unlock phones without a PIN and access stored data. The vulnerabilities, CVE-2024-29745 and CVE-2024-29748, were actively exploited, prompting Google to issue a security update that addresses 24 vulnerabilities, including critical ones. Users can apply the update through their Pixel phones’ settings.
Key Takeaways from Meeting Notes:
1. Google fixed two zero-day vulnerabilities in Google Pixel devices that were being exploited by forensic firms to unlock phones without a PIN and access stored data.
2. Pixels receive separate updates from standard Android patches due to unique hardware control by Google and exclusive features.
3. The April 2024 security bulletin for Pixel devices disclosed active exploitation of two vulnerabilities – CVE-2024-29745 and CVE-2024-29748.
4. GrapheneOS discovered the exploits and reported them, indicating the flaws allowed access to device memory and circumvention of factory resets.
5. Google’s fix for the vulnerabilities includes zeroing memory during fastboot mode boot, enabling USB connectivity only after the process is completed, and partial fix for the factory reset circumvention.
6. Pixel users have been instructed to apply the security update through the Settings menu and to restart their devices after installing the update.