Solana Labs has responded to claims by blockchain security firm CertiK about a potential security vulnerability in their crypto-enabled Saga phone. According to CertiK, the Saga phone, which is an Android device, has a bootloader vulnerability that could potentially allow the installation of a hidden backdoor, compromising sensitive data such as cryptocurrency private keys.
However, Steven Laver, the lead software engineer of mobile at Solana Labs, clarified that the CertiK video does not reveal any known vulnerability or security threat to Saga users. Laver explained that the video simply shows the user unlocking the bootloader, a process that can be done on many Android devices and is considered an advanced feature of the Saga phone. This feature is disabled by default, and unlocking the bootloader requires explicit user permission and wipes the device, alerting users about the implications multiple times during the process.
Additionally, Solana Labs mentioned that unlocking the bootloader and installing custom firmware would require an attacker to overcome multiple steps, including unlocking the device with the user’s passcode or fingerprint. The process of unlocking the bootloader involves a series of warnings, and if these are ignored, the device will be wiped along with any private keys stored on it, making it a process that cannot occur without the user's active participation or awareness.
The Solana Saga phone was released in April 2022 with a price tag of $1,099 and offers a Web3-native decentralized application store, aiming to integrate cryptocurrency applications into tech hardware. However, four months after its launch, Solana reduced the price to $599 following a significant decline in sales.
In conclusion, Solana Labs has strongly refuted CertiK's claims, emphasizing that the bootloader unlocking process is a controlled and secure feature of the Saga phone, designed with user awareness and explicit consent in mind.