Solana hoses down ‘inaccurate’ CertiK report on Saga phone security flaws

CertiK claims Solana’s Saga smartphone contains a critical “bootloader vulnerability” — Solana Labs says the claims are entirely inaccurate.

A recent video from blockchain security firm CertiK made a series of “inaccurate” claims about a potential security vulnerability in Solana’s crypto-enabled Saga phone, Solana Labs has said. 

In a Nov. 15 post on X (formerly Twitter), CertiK claimed the Saga phone contained a “critical vulnerability” known as a “bootloader unlock” attack which would supposedly allow a malicious actor to install a hidden backdoor in the phone.

In a report sent to Cointelegraph, CertiK claimed the bootloader unlock would “allow an attacker with physical access to a phone to load custom firmware containing a root backdoor.”

“We demonstrate that this can compromise the most sensitive data stored on the phone, including cryptocurrency private keys,” CertiK’s report said.

However, a Solana Labs spokesperson told Cointelegraph that CertiK’s claims are inaccurate, and its video did not reveal any legitimate threat to the Saga device.

“The CertiK video does not reveal any known vulnerability or security threat to Saga holders.”

Android’s internal Open Source Project documentation shows unlocking a bootloader can be performed across a wide range of Android devices.

Solana Labs said to unlock the bootloader and install custom firmware, an attacker would have to go through multiple steps, which can only be performed after unlocking the device with the user’s passcode or fingerprint.

“Unlocking the bootloader wipes the device, which users are alerted about multiple times when unlocking the bootloader, so it’s not a process that can take place without users’ active participation or awareness,” Solana Labs said.

Related: Making real-world blockchain solutions possible — Solana co-founder Raj Gokal

Additionally, if anyone proceeds to unlock the bootloader on an Android device, they’re subjected to a series of warnings about the implications of the process.

If they ignore these warnings, the device will be wiped along with their private keys.

The Solana Saga phone was released in April 2022 for a $1,099 price tag. The phone offers a Web3-native DApp store in a bid to integrate crypto apps into tech hardware.

Four months after launch, however, Solana slashed its price to $599 — following a steep decline in sales.

CertiK did not immediately respond to a request for comment on Solana Labs’ rebuttal.

Magazine: I spent a week working in VR. It was mostly terrible, however…

Read Entire Article


Add a comment