September 2024 Android Security Bulletin includes a patch for the wipe bypass we reported: CVE-2024-32896. It’s actively exploited by forensic companies across devices. Pixels patched it in June 2024…

September ASB: https://source.android.com/docs/security/bulletin/2024-09-01June PUB: https://source.android.com/docs/security/bulletin/pixel/2024-06-01

We reported several vulnerabilities exploited by forensic companies in January 2024. We proposed implementing firmware reset attack mitigation and wipe-without-reboot. Pixels shipped reset attack mitigation in April 2024 and also a firmware mitigation making wipe bypasses harder.

In June 2024, Pixels shipped our wipe-without-reboot proposal to fully eliminate wipe bypasses. The full solution is a set of AOSP patches (https://android.googlesource.com/platform/frameworks/base/+/8b7b2c66ca96d711fb364cbcc9d655197d9743e0) but they still classified it as a firmware patch since it was treated as phase 2 of the Pixel firmware patches.

We pointed out that it was actually an AOSP patch which should be shipped for all devices, and they agreed with us and scheduled it for inclusion in September. Wipe bypass is now finally going to be fixed for non-Pixels. Reset attack mitigation will still be missing elsewhere.

We extended wipe-without-reboot with extra wiping and use it as part of our duress PIN/password feature.

Forensic companies are still able to exploit stock OS Pixels, but reset attack mitigation helps prevent bypassing GrapheneOS security via firmware.

https://grapheneos.social/@GrapheneOS/112826160880324005

Each month, there’s a new Android monthly, quarterly or yearly release. This month is a monthly release of Android 14 QPR3, the 3rd quarterly release of Android 14 from June 2024. Android Security Bulletins have a subset of overall privacy/security patches. This is one example.

Android Security Bulletins include the High and Critical severity patches for the Android Open Source Project backported to older releases (12, 12.1, 13, 14) and a small selection of firmware/driver patches for specific hardware. Non-Pixels ship these backports. Pixels ship more.

Android OEMs are responsible for making their own more complete set of patches and incorporating patches from the SoC vendor and other hardware vendors for their devices. The Pixel Update Bulletins largely consist of these extra patches from Samsung, Qualcomm, Broadcom, etc.

Low and Moderate severity patches are almost entirely not backported to older Android releases and aren’t listed in the Android Security Bulletins.

Android 14 QPR3 from June is the current major release, not Android 14. Monthly updates since then are more than ASB patches.

Patch for CVE-2024-32896 was included in an upcoming major release (Android 14 QPR3 in June 2024) and that’s why non-Pixel devices didn’t get it, because they don’t actually update to the new monthly/quarterly releases. Now that it’s in the ASB, they’ll apply the backport.