{"id":87087,"date":"2023-11-15T18:38:34","date_gmt":"2023-11-15T16:38:34","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=87087"},"modified":"2025-09-13T09:35:33","modified_gmt":"2025-09-13T06:35:33","slug":"certik-flags-critical-vulnerability-in-solanas-saga-smartphone","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/certik-flags-critical-vulnerability-in-solanas-saga-smartphone\/","title":{"rendered":"CertiK flags &#8216;critical vulnerability&#8217; in Solana&#8217;s Saga smartphone"},"content":{"rendered":"<p>CertiK researchers identified a critical vulnerability in Solana&#8217;s Saga smartphone that could allow a user&#8217;s cryptocurrencies to be stolen.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">Ever wondered about the security of your Web3 devices? <\/p>\n<p>Our newest exploration reveals a significant bootloader vulnerability in the Solana Phone, a challenge not just for this device but for the entire industry. Our commitment to enhancing security standards is unwavering. ?\u2026 <a href=\\\"https:\/\/t.co\/lHZ5W7hXzy\\\">pic.twitter.com\/lHZ5W7hXzy<\/a><\/p>\n<p>\u2014 CertiK (@CertiK) <a href=\\\"https:\/\/twitter.com\/CertiK\/status\/1724774322324062524?ref_src=twsrc%5Etfw\\\">November 15, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>The company&#8217;s specialists, in recovery mode, managed to install a backdoor on the device and unlock access to the operating system&#8217;s bootloader.<\/p>\n<p>The smartphone displayed a warning that from that moment, &#8220;the integrity of the software cannot be guaranteed&#8221;.<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>&#8220;Any data stored on the device may be accessed by attackers,&#8221; the statement said.<\/p>\n<\/blockquote>\n<p>After this they connected the smartphone to WiFi to establish communication with a command-and-control server on a laptop. With root privileges on the vulnerable device and the use of Bash scripts, the researchers extracted all bitcoins from the built-in wallet.<\/p>\n<p>CertiK did not provide additional comment on the issue.<\/p>\n<div class=\\\"wp-block-text-wrappers-update-2 article_update\\\"><time class=\\\"gtb_text-wrappers_update_time\\\">15 November 2023 | 18:47<\/time><span class=\\\"gtb_text-wrappers_update_head\\\">Update: <\/span><\/p>\n<p>The Solana external adviser and HAPI CCO Mark Leczuk clarified that in the video CertiK released, no known vulnerabilities or security threats for Saga owners are disclosed.<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>&#8220;In the video, a user unlocks the bootloader, something that can be done on many Android devices. In Saga, this additional feature is disabled by default. However, it is not a security vulnerability \u2014 an authorised user must explicitly permit making such changes to their device,&#8221; the expert explained.<\/p>\n<\/blockquote>\n<p>He also added that one of Saga&#8217;s key innovations is Seed Vault \u2014 an embedded storage system with enhanced security for seed phrases and supported digital assets.<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>&#8220;Saga users are always advised to enable Seed Vault wallets to protect their digital assets. It is worth noting that Seed Vault is not used in the CertiK wallet shown in the video,&#8221; added Leczuk.<\/p>\n<\/blockquote>\n<p>A similar <a href=\\\"https:\/\/blockworks.co\/news\/solana-saga-phone-vulnerability\\\">statement<\/a> was issued by Saga&#8217;s chief engineer Steven Lauer.<\/p>\n<div class=\\\"wp-block-text-wrappers-update-2 article_update\\\"><time class=\\\"gtb_text-wrappers_update_time\\\">16 November 2023 | 11:16<\/time><span class=\\\"gtb_text-wrappers_update_head\\\">Update: <\/span><\/p>\n<p>CertiK said that the data they presented has been acknowledged by Samsung and Apple.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">We\u2019re encouraged to see that the video we released 12 hours ago has sparked significant discussion. We believe broad adoption of Web3 cannot come without secure mobile environments. This commitment of ours to mobile security has been recognized by companies like Samsung and Apple <a href=\\\"https:\/\/t.co\/YnCqCNiM7M\\\">pic.twitter.com\/YnCqCNiM7M<\/a><\/p>\n<p>\u2014 CertiK (@CertiK) <a href=\\\"https:\/\/twitter.com\/CertiK\/status\/1724980390052651201?ref_src=twsrc%5Etfw\\\">November 16, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\n<\/div>\n<\/div>\n<p>Solana Labs first introduced Saga <a href=\"https:\/\/u1f987.com\/en\/news\/solana-team-unveils-saga-a-web3-focused-smartphone\">in June 2022<\/a>. The phone&#8217;s hardware and software incorporate <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-web3\">Web3<\/a> features, enabling its use as a hardware wallet.\u00a0<\/p>\n<p>Sales of Saga began on <a href=\"https:\/\/u1f987.com\/en\/news\/solana-sets-date-for-saga-smartphone-sales\">8 May 2023<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CertiK researchers identified a critical vulnerability in Solana&#8217;s Saga smartphone that could allow a user&#8217;s cryptocurrencies to be stolen.<\/p>\n","protected":false},"author":1,"featured_media":87088,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1159,1160],"class_list":["post-87087","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-solana-sol","tag-web3-smartphones"],"aioseo_notices":[],"amp_enabled":true,"views":"30","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/87087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=87087"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/87087\/revisions"}],"predecessor-version":[{"id":87089,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/87087\/revisions\/87089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/87088"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=87087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=87087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=87087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}