That means shit, if someone can compromise your bootloader in an hotel or some other public place then they’ll get to your data either way once you turn on the phone. This is one very small and very important detail that all those tech youtubers pro-privacy, security and whatnot love to ignore as it is the really hard one that makes all the difference.
Secure boot is a complex subject and it requires a lot of work and checks to make sure nobody tempered with your device and Graphene / Pixel are the ones that really give a shit about that (except for Apple that wants to block jailbreaking and pirated Chinese app stores at all costs).
That means shit, if someone can compromise your bootloader in an hotel or some other public place then they’ll get to your data either way once you turn on the phone.
I never really understood how this kind of attack happens. Can it simply be done in any phone? What are the required conditions?
Ah I see, does that mean that in terms of security, switching to another ROM on a phone with non re-lockable bootloader is a downgrade from the stock ROM?
switching to another ROM on a phone with non re-lockable bootloader is a downgrade from the stock ROM?
It depends on your goal. If you plan to have any kind of boot / data security and the device can’t be re-locked with an alternative ROM you’re essentially better with the stock ROM in a locked state.
Now that’s kind of personal choice, I believe the instant damage done by someone stealing your phone and getting your data (because your bootloader was unlocked) is considerably larger than the privacy implications of running the stock / vendor Android. For what’s worth if you can root your stock Android and firewall everything that seems suspicious it might be better than running an alternative ROM without a secure boot. Even with an alternative ROM you can run into privacy issues, take for example here CalyxOS running on Qualcomm CPUs. What’s interesting here is that this issue doesn’t happen in Graphene because they’re actually better at covering all grounds than CalyxOS and others seem to be.
Don’t you think it’s easier, due to inattention when installing a compromised app, a privilege escalation attack through root or actually an invasion due to the amount of bloatware from companies that take their piece of the pie in the Stock ROM (even though they do would cleaning via ADB) and even worse rooted to block these suspicious traffic be something more harmful for the user?
Because the ability to steal the decryption password in RAM memory due to the unlocked bootloader is a little less likely for the thief to have.
I use LineageOS and I feel much better, since my cell phone is Xiaomi, than using MIUI, which is from a chinese big tech company and has proprietary code.
The attack you’re describing is a typical automated thing where hackers are exploiting dozens of devices in some automated fashion, that can happen but the damage is different. They might get your data but that’s usually sold on the black market in a bundle of compromised data. It will take some time for the info to get sold and for the buyer to act on it and sometimes it may never act - after all you’re one compromised device among millions. Even if the buyer it’s more likely he’ll simply use your device in a botnet to fake clicks on ads or DDoS something and profit that way. The key aspect of those attacks is that you’ve time to flag suspicious activity and act.
However if you carry an unlocked phone and someone steals that from you there’s a very high chance that it isn’t a random burglary, according to statistics most burglaries are committed by someone who knows victim aka is targeting you specifically. If you’re targeted by someone or some entity they’ll want your data and accounts and they’ll have the time, resources and attention focuses towards you giving you little to no time to react. This is why I would NEVER use a phone without a secure bootloader.
Tell you what: I agree with you on this. If one is truly paranoid and takes physical security into account, a rooted stock OS is a far better option in terms of restricting access to system files (not saying the CIA/MOSSAD can’t do it, but your random reddit-informed script kiddie definitely can’t). Indeed, rooting your stock OS, firewalling everything and deleting telemetry might be a decent idea (there are ways to install security patches on rooted mobiles, not to worry).
Edit: on the matter of CalyxOS, I wouldn’t go as far as to fault them on it. Grapehene has taken a resolution to either block/use their own almanac servers. This requires a fair bit of work. Oh, and what domain do Google chips use for almanacs anyway?
Edit: on the matter of CalyxOS, I wouldn’t go as far as to fault them on it. Grapehene has taken a resolution to either block/use their own almanac servers. This requires a fair bit of work.
Yes, but if you want sell a secure OS to people it should be really secure and not have big blind spots hidden from the users like this one.
One could argue about funding/interest when there are other things to fix. Essentially, when someone develops FOSS, people don’t get to order them around on what to do. I’m very pleased with what Calyx and Graphene have achieved till date and support them wholeheartedly (speaking of which, I should get back to donating, money is a bit tight though). But yes, perhaps a disclaimer for the paranoid people on Calyx’s website could be a decent idea.
But yes, perhaps a disclaimer for the paranoid people on Calyx’s website could be a decent idea.
It isn’t about being paranoid. It’s about knowing where you’re stepping, not everyone has time / can do proper research and I’m sure there are people running Calyx / others that aren’t aware of that boot security issue and if they were they wouldn’t be using it.
Look those projects are great as you said and I’m very grateful they exist but people should know what they’re “buying into” when it comes to security and privacy.
I think the industry/market generally realises that Graphene is the most secure Android OS there is. I’m interested in trying to understand how they implemented locking the bootloader and why other ROMs aren’t picking this up yet. Maybe it’s just a lot of work.
I think people who go on to flash Calyx definitely know the advantages of locking one’s bootloader and that using Calyx doesn’t let you do that. I think ROMs such as these also explicitly mention that the bootloader cannot be locked once said ROM is installed. I understand if someone doesn’t have the time but if they had enough time to understand how to flash a ROM on their mobile one would think they’d be interested in such details too (well, if they aren’t, then they likely don’t care).
I think the industry/market generally realises that Graphene is the most secure Android OS there is. I’m interested in trying to understand how they implemented locking the bootloader and why other ROMs aren’t picking this up yet. Maybe it’s just a lot of work.
From what I know it isn’t only about “a lot of work” its about phone vendors having to support that in the first place.
I think people who go on to flash Calyx definitely know the advantages of locking one’s bootloader and that using Calyx doesn’t let you do that
From what I see in this post and others doesn’t seem like it. Seems like a lot of people are unaware of this issue.
That means shit, if someone can compromise your bootloader in an hotel or some other public place then they’ll get to your data either way once you turn on the phone. This is one very small and very important detail that all those tech youtubers pro-privacy, security and whatnot love to ignore as it is the really hard one that makes all the difference.
Secure boot is a complex subject and it requires a lot of work and checks to make sure nobody tempered with your device and Graphene / Pixel are the ones that really give a shit about that (except for Apple that wants to block jailbreaking and pirated Chinese app stores at all costs).
I never really understood how this kind of attack happens. Can it simply be done in any phone? What are the required conditions?
This is the classic “evil maid attack” applied to phones instead of laptops.
Ah I see, does that mean that in terms of security, switching to another ROM on a phone with non re-lockable bootloader is a downgrade from the stock ROM?
It depends on your goal. If you plan to have any kind of boot / data security and the device can’t be re-locked with an alternative ROM you’re essentially better with the stock ROM in a locked state.
Now that’s kind of personal choice, I believe the instant damage done by someone stealing your phone and getting your data (because your bootloader was unlocked) is considerably larger than the privacy implications of running the stock / vendor Android. For what’s worth if you can root your stock Android and firewall everything that seems suspicious it might be better than running an alternative ROM without a secure boot. Even with an alternative ROM you can run into privacy issues, take for example here CalyxOS running on Qualcomm CPUs. What’s interesting here is that this issue doesn’t happen in Graphene because they’re actually better at covering all grounds than CalyxOS and others seem to be.
Don’t you think it’s easier, due to inattention when installing a compromised app, a privilege escalation attack through root or actually an invasion due to the amount of bloatware from companies that take their piece of the pie in the Stock ROM (even though they do would cleaning via ADB) and even worse rooted to block these suspicious traffic be something more harmful for the user?
Because the ability to steal the decryption password in RAM memory due to the unlocked bootloader is a little less likely for the thief to have.
I use LineageOS and I feel much better, since my cell phone is Xiaomi, than using MIUI, which is from a chinese big tech company and has proprietary code.
The attack you’re describing is a typical automated thing where hackers are exploiting dozens of devices in some automated fashion, that can happen but the damage is different. They might get your data but that’s usually sold on the black market in a bundle of compromised data. It will take some time for the info to get sold and for the buyer to act on it and sometimes it may never act - after all you’re one compromised device among millions. Even if the buyer it’s more likely he’ll simply use your device in a botnet to fake clicks on ads or DDoS something and profit that way. The key aspect of those attacks is that you’ve time to flag suspicious activity and act.
However if you carry an unlocked phone and someone steals that from you there’s a very high chance that it isn’t a random burglary, according to statistics most burglaries are committed by someone who knows victim aka is targeting you specifically. If you’re targeted by someone or some entity they’ll want your data and accounts and they’ll have the time, resources and attention focuses towards you giving you little to no time to react. This is why I would NEVER use a phone without a secure bootloader.
Thanks for the info! I agree, without being able to outright change phone, you can only choose your tradeoffs
Exactly.
Tell you what: I agree with you on this. If one is truly paranoid and takes physical security into account, a rooted stock OS is a far better option in terms of restricting access to system files (not saying the CIA/MOSSAD can’t do it, but your random reddit-informed script kiddie definitely can’t). Indeed, rooting your stock OS, firewalling everything and deleting telemetry might be a decent idea (there are ways to install security patches on rooted mobiles, not to worry).
Edit: on the matter of CalyxOS, I wouldn’t go as far as to fault them on it. Grapehene has taken a resolution to either block/use their own almanac servers. This requires a fair bit of work. Oh, and what domain do Google chips use for almanacs anyway?
Yes, but if you want sell a secure OS to people it should be really secure and not have big blind spots hidden from the users like this one.
One could argue about funding/interest when there are other things to fix. Essentially, when someone develops FOSS, people don’t get to order them around on what to do. I’m very pleased with what Calyx and Graphene have achieved till date and support them wholeheartedly (speaking of which, I should get back to donating, money is a bit tight though). But yes, perhaps a disclaimer for the paranoid people on Calyx’s website could be a decent idea.
It isn’t about being paranoid. It’s about knowing where you’re stepping, not everyone has time / can do proper research and I’m sure there are people running Calyx / others that aren’t aware of that boot security issue and if they were they wouldn’t be using it.
Look those projects are great as you said and I’m very grateful they exist but people should know what they’re “buying into” when it comes to security and privacy.
I think the industry/market generally realises that Graphene is the most secure Android OS there is. I’m interested in trying to understand how they implemented locking the bootloader and why other ROMs aren’t picking this up yet. Maybe it’s just a lot of work.
I think people who go on to flash Calyx definitely know the advantages of locking one’s bootloader and that using Calyx doesn’t let you do that. I think ROMs such as these also explicitly mention that the bootloader cannot be locked once said ROM is installed. I understand if someone doesn’t have the time but if they had enough time to understand how to flash a ROM on their mobile one would think they’d be interested in such details too (well, if they aren’t, then they likely don’t care).
From what I know it isn’t only about “a lot of work” its about phone vendors having to support that in the first place.
From what I see in this post and others doesn’t seem like it. Seems like a lot of people are unaware of this issue.