According to Solana Labs, a recent video from blockchain security company CertiK made a number of “inaccurate” claims regarding a possible security flaw in Solana’s cryptocurrency-enabled Saga phone.
The Saga phone was allegedly subject to a “critical vulnerability” that could be exploited by a malicious actor to install a hidden backdoor through a “bootloader unlock” attack, according to a post made by CertiK on X (previously Twitter) on November 15.
Ever wondered about the security of your Web3 devices?
Our newest exploration reveals a significant bootloader vulnerability in the Solana Phone, a challenge not just for this device but for the entire industry. Our commitment to enhancing security standards is unwavering. 🔐… pic.twitter.com/lHZ5W7hXzy
— CertiK (@CertiK) November 15, 2023
The bootloader unlock, according to CertiK, would “allow an attacker with physical access to a phone to load custom firmware containing a root backdoor,” according to a report sent to Cointelegraph.
According to CertiK’s report, “We demonstrate that this can compromise the most sensitive data stored on the phone, including private keys for cryptocurrencies.”
A Solana Labs representative, however, informed Coinbrit that CertiK’s assertions are untrue and that the Saga device poses no real threat from its footage.
“The CertiK video does not reveal any known vulnerability or security threat to Saga holders.”
According to the official Open Source Project documentation from Android, a variety of Android devices can have their bootloaders unlocked.
According to Solana Labs, an attacker would need to complete a number of steps—steps that can only be taken after the device has been unlocked using the user’s passcode or fingerprint—in order to unlock the bootloader and install custom firmware.
“Unlocking the bootloader wipes the device, which is a process that can take place without users’ active participation or awareness,” according to Solana Labs. Users are alerted about this multiple times during the unlocking process.
In addition, a number of cautions about the potential consequences are displayed to the user if they choose to unlock the bootloader on an Android device.
Their private keys and the device will be deleted if they disregard these alerts.
The $1,099 Solana Saga phone went on sale in April of 2022. In an effort to incorporate cryptocurrency apps into tech hardware, the phone provides a Web3-native DApp store.
In April, we introduced Saga with a clear vision: to put web3 at your fingertips. We continue to work to bring more people into the ecosystem and drive web3’s mobile future. Today, we are reducing the price of Saga to $599.
Over the past four months, Saga users embraced the… pic.twitter.com/qpC1BHiqZ7
— Solana Mobile 🌱 (@solanamobile) August 9, 2023
However, Solana cut its price to $599 four months after launch due to a sharp drop in sales.
A request for comment regarding Solana Labs’ rebuttal was not immediately answered by CertiK.