Pixel Firmware Security

Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day.

The high-severity vulnerability, tagged as CVE-2024-32896, has been described as an elevation of privilege issue in Pixel Firmware.

The company did not share any additional details related to the nature of attacks exploiting it, but noted "there are indications that CVE-2024-32896 may be under limited, targeted exploitation."

The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets.

Cybersecurity

Some of the notable issues patched include denial-of-service (DoS) issue impacting Modem, and numerous information disclosure flaws affecting GsmSs, ACPM, and Trusty.

The updates are available for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.

Earlier this April, Google resolved two security flaws in the bootloader and firmware components (CVE-2024-29745 and CVE-2024-29748) that were weaponized by forensic companies to steal sensitive data.

Then last week, Arm notified users of a memory-related vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers that has come under active exploitation.

Update

The maintainers of GrapheneOS, an open-source security and privacy focused Android fork, have revealed that CVE-2024-32896 addresses a previously incorporated partial solution for CVE-2024-29748 and that they are not specific to Pixel devices. However, the mitigations that have been added are specific to Pixels.

"CVE-2024-32896 and CVE-2024-29748 refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices," they said. "CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific."

"CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP."

When reached for comment, Google confirmed that the issue impacts the broader Android platform and that's it working with OEM partners to apply the fixes where applicable. The entire statement is reproduced below -

Android security is aware of this issue, and after further review, this issue does impact Android platform. This vulnerability requires physical access to the device to exploit and interrupts the factory reset process. Additional exploits would be needed to compromise the device.

Out of an abundance of caution, we marked this as 'may be under limited, targeted exploitation' in the Pixel security bulletin after security researchers published examples of how to exploit this vulnerability online. Pixel devices that have installed the latest security update are protected.

We are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available. As a best security practice, users should always update their devices whenever there are new security updates available.

(The story was updated after publication on June 19, 2024, to clarify that CVE-2024-32896 is not limited to Pixel devices.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.