April release of the Pixel boot chain firmware includes fixes for 2 vulnerabilities reported by GrapheneOS which are being actively exploited in the wild by forensic companies:
https://source.android.com/docs/security/bulletin/pixel/2024-04-01
https://source.android.com/docs/security/overview/acknowledgements
These are assigned CVE-2024-29745 and CVE-2024-29748.
source.android.com
Android Security Acknowledgements | Android Open Source Project
CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.
We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks.
GrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.
CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://twitter.com/GrapheneOS/status/1772616917611585809 about ongoing work we spotted on wipe-without-reboot support.
Google is publicly working on a fix for the factory reset vulnerability we reported:
https://android-review.googlesource.com/c/platform/frameworks/base/+/3008138
Currently, apps using device admin API to wipe do not provide any security against a local attacker since you can interrupt them. Forensic companies are aware of this.
Show more
GrapheneOS has been working on a duress PIN/password feature for a while, and as part of that we already implemented our own wipe-without-reboot system. We care a lot about doing things properly and the way this was done in existing apps and operating systems was highly insecure.
MetropleX [GrapheneOS] ⚡🟣
npub1gd…7cn8c
2024-04-02 23:49:12
Author Public Key
npub1gd3h5vg6zhcuy5a46crh32m4gjkx8xugu95wwgj2jqx55sfgxxpst7cn8cPublished at
2024-04-02 23:49:12Event JSON
{
"id": "a916a7cc1cdc81ae6b033f414e9462cd3a7c0a688384fc100ba56fba63a13a34",
"pubkey": "43637a311a15f1c253b5d60778ab7544ac639b88e168e7224a900d4a41283183",
"created_at": 1712101752,
"kind": 1,
"tags": [
[
"r",
"https://source.android.com/docs/security/bulletin/pixel/2024-04-01"
],
[
"r",
"https://source.android.com/docs/security/overview/acknowledgements"
],
[
"r",
"source.android.com"
],
[
"r",
"https://twitter.com/GrapheneOS/status/1772616917611585809"
],
[
"r",
"https://android-review.googlesource.com/c/platform/frameworks/base/+/3008138"
]
],
"content": "April release of the Pixel boot chain firmware includes fixes for 2 vulnerabilities reported by GrapheneOS which are being actively exploited in the wild by forensic companies:\n\nhttps://source.android.com/docs/security/bulletin/pixel/2024-04-01\nhttps://source.android.com/docs/security/overview/acknowledgements\n\nThese are assigned CVE-2024-29745 and CVE-2024-29748.\nsource.android.com\nAndroid Security Acknowledgements | Android Open Source Project\n\nCVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.\n\nWe proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks.\n\nGrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.\n\nCVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://twitter.com/GrapheneOS/status/1772616917611585809 about ongoing work we spotted on wipe-without-reboot support.\n\nGoogle is publicly working on a fix for the factory reset vulnerability we reported:\n\nhttps://android-review.googlesource.com/c/platform/frameworks/base/+/3008138\n\nCurrently, apps using device admin API to wipe do not provide any security against a local attacker since you can interrupt them. Forensic companies are aware of this.\nShow more\n\nGrapheneOS has been working on a duress PIN/password feature for a while, and as part of that we already implemented our own wipe-without-reboot system. We care a lot about doing things properly and the way this was done in existing apps and operating systems was highly insecure.",
"sig": "ad3b20564978e5db698c354f78809d258f5fd7a77cd80c64f694707b8a184cc3e8a18dd033b134cc529bcb36637f17a1bf75e622aab3b0f2766f7702fa3df20d"
}