Certik has disclosed a vulnerability found in the Solana mobile phone, Saga. The blockchain security focused firm identified the vulnerability in the bootloader unlock feature. However, Certik emphasized that this security threat extends beyond the Solana phone alone, stating that it is a challenge for the entire industry.
In a video explanation, Certik demonstrated the discovery by “backdooring” the Solana mobile phone. A backdoor is typically associated with malware and allows unauthorized access to a system without normal authentication. This grants remote access to system files and the ability to issue commands.
According to the video, if a user sees the message “the bootloader is unlocked and software integrity cannot be guaranteed. Any data stored on the device may be available to attackers. Do not store any sensitive data on this device,” it means that the device has already been hacked.
Once this process is completed, the user’s crypto assets can be drained. Certik also illustrated how crypto funds could be drained and transferred.
In response, many users on Twitter argued that Certik’s discovery is not as groundbreaking as they present it. One user commented, “[This is the] same thing a bored 11-year-old kid could do 10 years ago to get AOSP on Samsung phones to get rid of their bloat.”
The user went on to explain, “Context for those unaware: you need to steal the phone, unlock the bootloader (need the passcode), wipe the phone and install a custom OS (20 min), then restore a backup (1 hour+), return the phone and then PRAY they don’t notice a massive warning every time they boot the phone.”
The Solana Mobile Saga was launched in April. It is designed to provide users with a seamless web3 experience. The Solana Mobile Saga includes features such as a dApp Store, the Seed Vault wallet, the Solana Mobile Stack dApps building toolkit, and Saga Pass, an Android build environment.