The US government has issued a dire warning to employees with Pixel phones, mandating a security update by July 4, as originally reported by Forbes. This is due to a high-severity firmware vulnerability within the Android operating system that could open up devices to “limited, targeted exploitation.”
There’s already a patch for the zero-day exploit but it requires a visit to the settings app to make sure the device is up to date. Government employees who do not install the security update by July 4 must “discontinue use of the product.” It should go without saying that the rest of us should also heed these warnings, particularly those who connect to enterprise servers.
Google has remained mum as to the actual details of the vulnerability, but government involvement makes it seem a bit more serious than your average exploit. The federal mandate is directed exclusively at Pixel devices, but it looks like the exploit could extend to other Android phones.
The folks behind GrapheneOS, an operating system based on Android, note that the vulnerability is not exclusive to Pixel phones. The organization says a fix will be part of any update to Android 15, which releases in August, but that it hasn’t been backported. So, if you opt not to update the OS, you likely won’t get the patch. It remains unclear if there are any other options for mitigation. We reached out to Google and will update this post when we know more.
CVE-2024-32896 which is marked as being actively exploited in the wild in the June 2024 Pixel Update Bulletin is the 2nd part of the fix for CVE-2024-29748 vulnerability we described here:https://t.co/c4xnnbje04
As we explained there, none of this is actually Pixel specific.
— GrapheneOS (@GrapheneOS) June 13, 2024
The warning issued by the US government, as described in the Known Exploited Vulnerabilities (KEV) catalog, is also stingy with the details. The advisory simply states that “Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation.” GrapheneOS says the exploit fails to wipe the memory when running a firmware-based fastboot mode, which potentially allows nefarious actors to exploit the system “to get previous OS memory.”
To recap, update your Pixel Phone immediately via the settings app, while those with other Android phones should sit tight for now. It’s never wise to mess with these zero-day exploits and the involvement of the US government has certainly heightened the threat level a bit here.
