Pixel users on March and older security patches at high risk of exploitation by forensics

Google has issued a critical warning to Pixel smartphone users who have not installed the latest April 2024 security patch. Two high-severity vulnerabilities, tracked as CVE-2024-29745 and CVE-2024-29748, could potentially be exploited by forensic companies for targeted attacks on Google Pixel devices still on March and older security updates.

While Google doesn’t delve deeper into the details of these vulnerabilities beyond the warning, the folks over at MalwareBytes Labs describe them as follows:

• CVE-2024-29745: An information disclosure vulnerability in the bootloader component, which is basically a flaw in the bootloader component that could allow unauthorized access to sensitive information stored on your device.
• CVE-2024-29748: An elevation of privilege (EoP) vulnerability in the Pixel firmware, which describes a vulnerability within the Pixel firmware that opens the door for attackers to gain elevated privileges, potentially gaining deeper control of your device.

Forensic companies and other entities specializing in data extraction often seek out such vulnerabilities to develop advanced tools for accessing locked or encrypted devices. While these tools can be used for legitimate purposes in law enforcement investigations, they also pose a significant risk to the privacy of everyday Pixel users who haven’t updated their software.

Google strongly recommends that all Pixel users install the April 2024 security update immediately since this patch effectively addresses the identified vulnerabilities, minimizing the risk of exploitation.

Staying up-to-date with the latest security patches is crucial to safeguarding your device and personal data. While some users may be hesitant to update due to concerns about potential software issues, the risks associated with unpatched vulnerabilities far outweigh any potential downsides.