- 1
CertiK posted a one-minute video asking a question about Web3 devices’ security mentioning finding a “bootloader vulnerability” in the Solana phone. - 2
Solana Labs denies the claim stating that any Android device is vulnerable to such issues.
Solana’s Saga phone is one of the aspiring achievements of the company which entered the market after years of toil. The Android-based Web3 smartphone recently got into the news after a potential vulnerability was found in the device. Blockchain security firm CertiK brought the report after analyzing the device and raised concerns that the vulnerability can make Saga prone to digital attacks.
CertiK posted a one-minute video on social media platform X, formerly Twitter, on Wednesday, November 15. The video with the caption asking a question about Web3 devices’ security mentioned finding a “bootloader vulnerability” in the Solana phone.
Ever wondered about the security of your Web3 devices?
Our newest exploration reveals a significant bootloader vulnerability in the Solana Phone, a challenge not just for this device but for the entire industry. Our commitment to enhancing security standards is unwavering.
— CertiK (@CertiK) November 15, 2023
The video showed a user exploiting the alleged vulnerability to hack into the phone and access crucial information. It even showed a demo of how the exploitation could lead to stealing crypto assets.
The blockchain security company claims that the bootloader makes the Solana devices that “contain a root backdoor” prone to threat activities. However, it’s also important to note that the attacker could only access the device if it’s available physically.
CertiK stated in the post “The boot loader is unlocked and software integrity cannot be guaranteed. Any data stored on the device may be available to attackers, Do not store any sensitive data on the device”
A backdoor software can be installed in a device such as a mobile phone that can allow further compromise including accessing sensitive information.
Solana Disagrees With the Allegations of CertiK
Solana Labs responded to CertiK’s revelation about alleged vulnerabilities in Solana Saga phones. The company denies that it’s an inherent issue in their device. Rather, they said that any Android device is vulnerable to backdoor attacks.
In an official Open Source Project documentation of Android it is also highlighted that the bootloader can be locked and unlocked.
However, it’s not as easy as it may sound. As mentioned already, the attacker must have physical access to the device in order to inject the software before hacking it. This itself acts as a hindrance in the process for illicit actors to enter the phone through backdoor.
Many X users responded to CertiK and a majority of them seem to disagree with the blockchain security firm’s claims. Some even claimed this action aimed to attack Solana phone’s popularity. They also voiced the argument that any Android device can be hacked through the process shown in the video.
X users called out for not using “Seed Vault” which is supposed to support digital assets and seeds in the devices.
Source: https://www.thecoinrepublic.com/2023/11/16/certik-says-saga-phone-has-bootloader-vulnerability-solana-denies/