Google has fixed two big security flaws in its Pixel phones and disclosed the details earlier this week, but only after they were used by forensic companies to gain access without needing a PIN.
In a Pixel update bulletin, Google listed the two vulnerabilities as CVE-2024-29745, an information disclosure flaw in the bootloader, and CVE-2024-29748, a privilege escalation flaw in the firmware. As usual, Google didn't acknowledge the flaws until a patch to fix them was ready.
Also: Leak reveals the Pixel 8a's specs, with big upgrades on the way
Google labels these flaws as "high severity" and recommends that all users update their phones immediately. "There are indications," Google's advisory said, "that the following may be under limited, targeted exploitation."
The flaws were discovered by the makers of GrapheneOS, an open-source, privacy- and security-focused mobile operating system based on Android. The researchers said that to exploit the flaws, the forensic companies had to reboot the Pixel devices into fastboot mode.
Here's how a GrapheneOS post advised Google on a potential fix: "We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks."
If you haven't already, this is a good time to make sure you have the latest Pixel security update. To check, open Settings, scroll down, and tap on "Security and privacy." Tap "Check for updates" under "System & updates" and follow the prompts. If you have a supported Google device, you should receive an update to the 2024-04-05 patch.