CertiK Allegations and Solana Labs’ Response
Blockchain security firm CertiK recently claimed that Solana’s Saga smartphone harbors a critical “bootloader vulnerability.” Solana Labs, however, disputes these allegations, asserting that the claims are entirely inaccurate.
CertiK’s Claims and Solana’s Response
In a video released on November 15 and posted on X (formerly Twitter), CertiK alleged that the Saga phone contains a “critical vulnerability” in the form of a “bootloader unlock” attack. This purported vulnerability could allow a malicious actor to install a hidden backdoor in the phone, according to CertiK.
CertiK’s report sent to Cointelegraph stated that the bootloader unlock would “allow an attacker with physical access to a phone to load custom firmware containing a root backdoor.”
However, a spokesperson from Solana Labs informed Cointelegraph that CertiK’s claims are inaccurate, and the video does not reveal any legitimate threat to the Saga device.
“The CertiK video does not reveal any known vulnerability or security threat to Saga holders,” the spokesperson said.
Unlocking Bootloader Process
Android’s internal Open Source Project documentation shows that unlocking a bootloader is a process applicable to a wide range of Android devices. Solana Labs emphasized that to unlock the bootloader and install custom firmware, an attacker would need to go through multiple steps, achievable only after unlocking the device with the user’s passcode or fingerprint.
“Unlocking the bootloader wipes the device, which users are alerted about multiple times when unlocking the bootloader, so it’s not a process that can take place without users’ active participation or awareness,” Solana Labs explained.
Additionally, users who proceed to unlock the bootloader on an Android device receive a series of warnings about the implications of the process. Ignoring these warnings results in the device being wiped, along with their private keys.
Solana Saga Phone Overview
The Solana Saga phone, released in April 2022 at a price of $1,099, offers a Web3-native decentralized application store, aiming to integrate crypto apps into tech hardware. However, four months after launch, Solana reduced the phone’s price to $599 due to a significant decline in sales.
As of now, CertiK has not responded to a request for comment on Solana Labs’ rebuttal.