A recent video from blockchain security firm CertiK made a series of “inaccurate” claims about a potential security vulnerability in Solana’s crypto-enabled Saga phone, Solana Labs has said.
In a Nov. 15 post on X (formerly Twitter), CertiK claimed the Saga phone contained a “critical vulnerability” known as a “bootloader unlock” attack which would supposedly allow a malicious actor to install a hidden backdoor in the phone.
Ever wondered about the security of your Web3 devices?
Our newest exploration reveals a significant bootloader vulnerability in the Solana Phone, a challenge not just for this device but for the entire industry. Our commitment to enhancing security standards is unwavering. … pic.twitter.com/lHZ5W7hXzy
In a report sent to Cointelegraph, CertiK claimed the bootloader unlock would “allow an attacker with physical access to a phone to load custom firmware containing a root backdoor.”
“We demonstrate that this can compromise the most sensitive data stored on the phone, including cryptocurrency private keys,” CertiK’s report said.
However, a Solana Labs spokesperson told Cointelegraph that CertiK’s claims are inaccurate, and its video did not reveal any legitimate threat to the Saga device.
Android’s internal Open Source Project documentation shows unlocking a bootloader can be performed across a wide range of Android devices.
Solana Labs said to unlock the bootloader and install custom firmware, an attacker would have to go through multiple steps, which can only be performed after unlocking the device with the user’s passcode or fingerprint.
“Unlocking the bootloader wipes the device, which users are alerted about multiple times when unlocking the bootloader, so it’s not a process that can take place without
Read more on cointelegraph.com