Within the first week of February, Google printed its frequent Android Security Bulletin, detailing security flaws which were plugged to present a boost to the platform security. These flaws tend to be declared once they’ve been fastened, with the exception of in special instances.
February is one of those uncommon instances for a kernel-stage, excessive-severity flaw that turned into silent being actively exploited at the time of the bulletin’s unencumber. “There are indications that CVE-2024-53104 is seemingly below runt, targeted exploitation,” says the unencumber hide.
The flaw turned into first reported by experts at Amnesty Global, which describes it as an “out-of-trip write in the USB Video Class (UVC) driver.” The researchers add that because it’s a kernel-stage exploit, it impacts overs over a thousand million Android devices, without reference to the logo label.
Since it’s a zero-day exploit, simplest the attackers know of its existence, except security experts sense its presence, contrivance a fix with the platform’s team, and then widely unencumber it for all affected devices. Two other vulnerabilities, CVE-2024-53197 and CVE-2024-50302, were fastened at the kernel-stage, however haven’t been fully patched at an OS-stage by Google
The impact pool is big
The pool of affected devices is the Android ecosystem, whereas the assault vector is a USB interface. Particularly, we’re speaking about zero-day exploits in the Linux kernel USB drivers, which enables a cross actor to avoid the Lock Display hide security and create deep-stage privileged win entry to to a mobile phone by technique of a USB connection.
In this case, a utility supplied by Cellebrite turned into reportedly outdated to unlock the mobile phone of a Serbian student activist and create win entry to to knowledge saved on it. Particularly, a Cellebrite UFED equipment turned into deployed by laws enforcement officials on the student activist’s mobile phone, without informing them about it or taking their suppose consent.
Amnesty says the utilization of a utility like Cellebrite — which has been abused to center of attention on journalists and activists widely — turned into no longer legally sanctioned. The mobile phone in ask turned into a Samsung Galaxy A32, whereas the Cellebrite instrument turned into able to ruin past its Lock Display hide security and create root win entry to.
“Android distributors must urgently give a boost to defensive security functions to mitigate threats from untrusted USB connections to locked devices,” says Amnesty’s file. This received’t be the first time that the name Cellebrite has looked in the news.
Change your Android smartphone. ASAP!
The corporate sells its forensic diagnosis tools to laws enforcement and federal agencies in the US, and more than one other international locations, letting them brute-force their scheme into devices and extract most indispensable knowledge.
In 2019, Cellebrite claimed that it goes to unlock any Android or Apple instrument the expend of its Universal Forensic Extraction Map. On the choice hand, it has additionally raised ethical issues and privacy alarms about unfair utilization by authorities for surveillance, harassment, and concentrated on of whistleblowers, journalists, and activists.
A pair of months ago, Apple additionally quietly tightened the security protocols with iOS 18.1 change, with the intention of blocking unauthorized win entry to to locked smartphones and preventing exfiltration of mute knowledge.