In a recent security update, Google has addressed two zero-day vulnerabilities on its Pixel devices, which were being actively exploited by forensic firms to bypass PIN codes and gain unauthorized access to stored data. While Pixels run on Android, they receive separate updates due to their unique hardware platform and exclusive features.

The April 2024 security bulletin for Pixel devices disclosed the active exploitation of two vulnerabilities, namely CVE-2024-29745 and CVE-2024-29748. These flaws were categorized as high-severity information disclosure and elevation of privilege bugs, respectively. Google has warned that there were indications of limited, targeted exploitation.

GrapheneOS, a security-focused Android distribution, recently revealed that they had discovered the forensic companies actively exploiting these vulnerabilities. By exploiting the flaws, these companies were able to unlock Google Pixel devices they had physical access to and gain access to the device's memory.

CVE-2024-29745 exploits a vulnerability in the Pixel's bootloader, while CVE-2024-29748 allows local attackers to bypass factory resets initiated by apps using the device admin API. GrapheneOS had reported these vulnerabilities a few months ago, sharing limited information publicly to avoid widespread exploitation until a patch became available.

Google has implemented a fix for the vulnerabilities. For CVE-2024-29745, the fix involves zeroing the memory during the booting of fastboot mode and enabling USB connectivity only after the zeroing process is completed. This renders the attacks impractical. However, the fix for CVE-2024-29748 is considered partial by GrapheneOS, as it is still possible to stop the wipe by cutting power to the device.

GrapheneOS is actively working on a more robust implementation of a duress PIN/password and a secure "panic wipe" action that won't require a reboot to address the remaining vulnerability.

The April 2024 security update for Pixel devices includes fixes for a total of 24 vulnerabilities, one of which is a critical severity elevation of privilege flaw (CVE-2024-29740). To apply the update, Pixel users can navigate to Settings > Security & privacy > System & updates > Security update and tap install. A restart will be required to complete the update.

Google's swift response to address these zero-day vulnerabilities ensures the continued security and privacy of users' data on Pixel devices. It also highlights the importance of timely updates and collaboration with security-focused entities such as GrapheneOS to identify and mitigate potential threats.