Solana Labs has strongly contested the claims made by blockchain security firm CertiK regarding the security of Solana’s crypto-enabled Saga phone. CertiK had alleged the presence of a critical “bootloader vulnerability” in the device, which could potentially compromise sensitive data, including cryptocurrency private keys. Solana Labs, however, has refuted these claims, asserting that CertiK’s findings are inaccurate and do not pose a legitimate threat to Saga phone users.
CertiK’s allegations
On November CertiK released a video in which they asserted that the Saga phone contained a “critical vulnerability” known as a “bootloader unlock” attack. According to CertiK, this vulnerability could allow malicious actors with physical access to the phone to install hidden backdoors via custom firmware, potentially compromising sensitive data, including cryptocurrency private keys. CertiK’s report stated that this could pose a significant security risk to Saga phone users.
Solana Labs’ response
In response to CertiK’s claims, Solana Labs has categorically denied the existence of any known vulnerability or security threat to Saga phone users. Solana Labs emphasized that unlocking the bootloader and installing custom firmware would require multiple steps, which can only be executed after unlocking the device using the user’s passcode or fingerprint. Furthermore, Solana Labs pointed out that unlocking the bootloader results in a complete device wipe, a process that users are repeatedly alerted about, making it impossible for such actions to occur without the user’s active participation or awareness.
Bootloader unlock process
Solana Labs clarified that the process of unlocking the bootloader is not something that can be initiated without the user’s explicit consent. Android’s internal Open Source Project documentation corroborates this, indicating that bootloader unlocking is possible on a wide range of Android devices but involves a series of warnings and user consent. Ignoring these warnings during the bootloader unlock process leads to the device being wiped, along with any private keys stored on it.
The Saga phone,a crypto-enabled smartphone developed by Solana Labs, was released in April 2022 with a price tag of $1,099. One of its key features is a Web3-native DApp store, aimed at integrating cryptocurrency applications into the device’s hardware. However, just four months after its launch, Solana Labs decided to reduce the price of the Saga phone to $599, following a significant decline in sales.
At the time of reporting, CertiK had not provided a response to Solana Labs’ rebuttal. It remains to be seen whether CertiK will address the refutation and provide further insights into their findings or if they will revise their assessment based on Solana Labs’ counterclaims.