Solana refutes CertiK’s claim of ‘security threat’ to Saga phone

Solana has issued a statement to Blockworks, rejecting CertiK’s allegation of a “vulnerability” in the Solana Saga phone. CertiK, a blockchain security auditor, claimed on Wednesday that it discovered a vulnerability in the Solana Saga phone.

The Saga phone is an Android device powered by Solana, the first of its kind. According to CertiK, the phone has a bootloader vulnerability that allows a malicious actor to install a backdoor on the device and compromise its software integrity. This could expose any data stored on the phone to attackers.

“The boot loader is unlocked and software integrity cannot be guaranteed. Any data stored on the device may be available to attackers, Do not store any sensitive data on the device,” a message on the Solana phone’s screen reads after the backdoor installation, as shown in CertiK’s video.

CertiK said that this message indicates that the phone has been hacked. However, it is unclear whether this vulnerability is specific to the Saga phone or affects other Android devices as well. CertiK did not respond to Blockworks’ request for comment.

Steven Laver, the lead software engineer of mobile at Solana Labs, told Blockworks in an email that “the CertiK video does not reveal any known vulnerability or security threat to Saga holders. The video shows the user unlocking the bootloader, which is something that can be done on many Android devices.“

Android’s Open Source Project documentation explains how to lock and unlock the bootloader. “Unlocking the bootloader is an advanced feature of Saga, and is disabled by default. We believe in allowing users the choice of how they use their phone, however, unlocking the bootloader is not a security vulnerability – a user must explicitly allow such changes to be made to their device, and those changes can only be made by an authorized user of the phone,” Laver added.

He also said that if a user or an attacker unlocks the bootloader, they will see multiple warnings and their device will be wiped, along with their private keys. “So it’s not a process that can take place without users’ active participation or awareness,” Laver said.

The video also shows how an attacker could drain bitcoin from the wallet attached to the phone. However, it does not show the use of Seed Vault, which protects both supported digital assets and seeds.

Ever wondered about the security of your Web3 devices?

Our newest exploration reveals a significant bootloader vulnerability in the Solana Phone, a challenge not just for this device but for the entire industry. Our commitment to enhancing security standards is unwavering. 🔐… pic.twitter.com/lHZ5W7hXzy

— CertiK (@CertiK) November 15, 2023

Seed Vault was announced in June 2022, and “accesses the highest privileged security environment available on a device, from secure operating modes of the processor to dedicated Secure Elements, which enables a secure transaction signing experience through UI components built into Android.”

Saga was launched in April, as a smartphone that integrates Web3 with Android. It has a separate app store for Solana, in addition to the traditional app stores.

The phone is designed to allow users to have “self-custody of their assets” and to make them “feel comfortable bringing those assets with them on the go,” Laver told Blockworks when the phone was launched. Months after the launch, the price of Saga was reduced to $599 from $1,000, a 40% cut.

Emmett Hollyer, head of business operations for Solana Mobile, told Blockworks that the price reduction is “common practice in the consumer electronics business, particularly with smartphones.” The vulnerability claim has not affected SOL, Solana’s native crypto, at the time of publishing. It has increased by more than 20% over the past day.