Blockchain security company CertiK claims to have discovered a bootloader vulnerability on the Solana Saga smartphone, leading to the potential installation of a backdoor on the device. However, Solana Labs engineers have denied CertiK’s claims, clarifying that the so-called “vulnerability” does not pose a security threat.
Solana Saga Allegedly Vulnerable
Blockchain security company CertiK posted on Wednesday (15th), claiming that the Web3 smartphone Saga launched by Solana has a bootloader vulnerability that allows the device to be installed with a backdoor, compromising the initial software responsible for starting up the phone.
In a video from CertiK, a message displayed on the Solana smartphone screen indicates that the phone has been hacked. However, it is currently unclear whether this vulnerability is exclusive to Saga or if it will affect other Android devices.
Solana Denies CertiK’s Claim of “Vulnerability” Constituting Security Threat
Steven Laver, Chief Software Engineer for mobile at Solana Labs, stated in an email to Blockworks:
The documentation in the Android open-source project outlines the functionality of locking and unlocking the bootloader. Laver continued to say:
However, if users or attackers continue to unlock the bootloader, they will not only experience multiple warnings but their device data will also be erased, along with their private keys. Therefore, Laver stated that “this process cannot occur without user active participation or notification.”
CertiK’s video also demonstrates how attackers can steal Bitcoin from the wallet connected to the Saga smartphone, but does not show the use of Seed Vault, a secure custody protocol that simultaneously protects supported digital assets and seeds.
Related report: “Solana Saga Smartphone Unboxing and Testing: What Sets It Apart from Other Smartphones?”