Full Report
Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools. On Friday, Amnesty International published a report detailing a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia. The […] © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
This article reports on the discovery and patching of several previously unknown Android vulnerabilities exploited in the wild, specifically involving forensic tools used by authorities.
# Vulnerability: Chain of Android Zero-Days Exploited via USB for Device Unlock
## CVE Details
- CVE ID: Not explicitly provided in the text. (The flaws were fixed internally by time of reporting.)
- CVSS Score: Not provided.
- CWE: Not explicitly provided. (Likely related to Input Validation/Improper Neutralization in the USB kernel.)
## Affected Systems
- Products: Android operating system (core Linux USB kernel component).
- Versions: Undisclosed, but patched by Google following disclosure. Affects potentially over a billion Android devices due to the kernel location.
- Configurations: Exploitation was achieved using forensic tools (specifically linked to Cellebrite tools) connected via USB.
## Vulnerability Description
Researchers at Amnesty International uncovered a chain of three zero-day vulnerabilities within the core Linux USB kernel of Android. These flaws were reportedly leveraged by the phone-unlocking company Cellebrite, enabling authorities (specifically noted in the context of Serbian authorities) to unlock an activist's device using forensic tools connected over USB. Since the vulnerability resides in the kernel, it has broad impact across many Android vendors and devices.
## Exploitation
- Status: **Exploited in the wild** (used to hack a student protester's phone in Serbia, traced back to mid-2024).
- Complexity: Implied to be relatively low for entities possessing the specialized forensic tools (like Cellebrite).
- Attack Vector: **Local** (requires physical USB connection/access to the device, or remote manipulation leading to a USB connection event).
## Impact
- Confidentiality: High (Allows extraction of data, as the tools unlocked the device).
- Integrity: Medium/High (Potential to modify data or install further compromise tools, as suggested by context of previous attacks using Cellebrite).
- Availability: Low (The attack focused on access, not denial of service).
## Remediation
### Patches
- Google's Threat Analysis Group (TAG) identified and fixed the three separate flaws after being notified by Amnesty International. Specific CVEs and required Android security bulletin versions are **not detailed** in this summary.
### Workarounds
- No specific vendor-provided workarounds are mentioned, other than the successful patching by Google.
## Detection
- Detection methods are not explicitly detailed.
- Indicators of compromise (IOCs) would likely involve monitoring for unusual USB debugging or connection activity if specialized forensic tools were used, but no signature-based detection is listed.
## References
- Vendor advisories: Google TAG was involved in the fix process (implied Google Android Security Bulletins).
- Relevant links:
- Amnesty International report detailing the findings (linked via X/Twitter: twitter dot com/DonnchaC/status/1895387281026097153)
- Previous related report on Serbian authorities using Cellebrite: techcrunch dot com/2024/12/15/serbian-police-used-cellebrite-to-unlock-then-plant-spyware-on-a-journalists-phone/