Google Pixel Deadline—10 Days To Update Or Stop Using Your Phone
How did the U.S. government respond to the Pixel firmware vulnerability?
The U.S. government, through the Cybersecurity and Infrastructure Security Agency (CISA), added the Pixel firmware vulnerability (CVE-2024-32896) to its Known Exploited Vulnerabilities (KEV) catalog4. It ordered federal employees to update their Pixel devices before July 4 or discontinue using them1. The warning is directed at government agencies, but other enterprises and personal users should also take heed, especially those connecting their devices to enterprise systems.
What does the KEV catalog advisory say about Android Pixel?
The KEV catalog advisory states that Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation1. This vulnerability has been added to the catalog due to evidence of active exploitation. Pixel owners are urged to update their devices before July 4 to mitigate the risk.
What prior vulnerabilities did GrapheneOS report being exploited?
GrapheneOS reported two vulnerabilities, CVE-2024-29745 and CVE-2024-29748, being exploited in the wild by forensic companies. CVE-2024-29745 is a high-severity information disclosure flaw in the Pixel's bootloader, while CVE-2024-29748 is a high-severity elevation of privilege bug in the Pixel firmware. These vulnerabilities allowed companies to unlock and access memory on Google Pixel devices with physical access.