In early February, Google released its latest Android Security Bulletin, which outlines various security vulnerabilities that have been addressed to enhance the platform’s protection. Typically, these vulnerabilities are disclosed once they have been resolved, although there are exceptions.
This month’s bulletin highlighted a particularly critical kernel-level vulnerability, designated CVE-2024-53104, which was still being actively targeted at the time the bulletin was published. As noted in the release information, “There are indications that CVE-2024-53104 may be under limited, targeted exploitation.”
The issue was initially brought to light by experts from Amnesty International, who characterized it as an “out-of-bound write in the USB Video Class (UVC) driver.” Since this is a kernel-level vulnerability, it poses a threat to over a billion Android devices, regardless of their brand.
As a zero-day exploit, the details of this vulnerability are known primarily to the attackers, who may be able to continue exploiting it until security professionals identify it, collaborate with the platform’s team to develop a fix, and subsequently distribute that fix to affected devices. Additionally, two other vulnerabilities, CVE-2024-53197 and CVE-2024-50302, have also been patched at the kernel level but not yet at the operating system level by Google.
### The Swath of Impact
The impact of this vulnerability stretches across the entire Android ecosystem, with USB interfaces serving as the attack vector. This entails exploits targeting the Linux kernel USB drivers, allowing unauthorized individuals to bypass Lock Screen protections and gain privileged access to the phone through a USB connection.
In a notable case, a Cellebrite tool was purportedly utilized to unlock the phone of a Serbian student activist, gaining forbidden access to the device’s data. The Cellebrite UFED device was used by law enforcement on the student’s phone without their knowledge or consent.
Amnesty highlights that the deployment of tools like Cellebrite, often misused to target journalists and activists, lacked legal authorization. The device involved was a Samsung Galaxy A32, and the Cellebrite equipment successfully circumvented its Lock Screen security to achieve root access.
The report stresses, “Android vendors must urgently enhance security features to guard against threats from untrustworthy USB connections on locked devices.” This isn’t the first time Cellebrite has drawn attention for ethical issues related to surveillance.
The company markets its forensic analysis tools to various law enforcement and federal agencies across the U.S. and beyond, enabling them to access devices for data extraction. In 2019, Cellebrite claimed it could unlock any Android or Apple device with its Universal Forensic Extraction Device, but this has raised significant concerns regarding privacy and ethical practices when authorities misuse technology for surveillance or harassment of whistleblowers, journalists, and activists.
In response to these security challenges, Apple recently tightened security measures in the iOS 18.1 update, aimed at curbing unauthorized access to locked smartphones and safeguarding sensitive information from being compromised.
