• General

  • Can GrapheneOS updates be compromised like Encro etc?

Encro failed with their updating mechanism where law enforcement managed to push fale update(s) giving them full access to the phones. I tried searching on the forum about what GrapheneOS does to prevent this from ever happening but my search skills was not enough.

Can someone enlighten me... How can the auto update feature be trusted? I assume the update is signed by a GrapheneOS key which is verified before accepting update. But can these computer(s)/person(s) get hacked or identified or blackmailed?

What else is there to worry about in terms of updating safely and not installing an update with surveillance included?

I know Graphene is just a normal Android system but a lot more hardened and secure so any law enforcement should of course go and fxck themselves. But these days you never know how far they extend their long arm of the law, claiming its a "system used for criminals".

Please share all your input and information about this.

And, is it safer to apply Github updates manually?

Thanks for your wonderful work.

PushPush changed the title to Can GrapheneOS updates be compromised like Encro etc? .

Encrochat and their phone was a scam afaik.

If the servers and signing keys get compromised then yes of course.

  • de0u replied to this.

    IIRC EncroChat servers were hacked by law enforcement (in cooperation with OVH, the server hosting company) and the updates were modified. This can never happen to GrapheneOS, since it has full Verified Boot, and updates are built and signed locally by the devs on their machines. Daniel Micay has shown in the past, that he has a very good hygiene with signing keys. The cloud servers are only responsible for distributing the updates, which are then checked on your device after downloading them. If the signature doesn't match the original signature that Graphene was signed with, the update won't be applied. In order to load compromised updates onto a device, you would have to compromise the entire OS from the beginning, which would easily be detected when performing normal post-installation steps (https://grapheneos.org/install/web#verified-boot-key-hash).

      missing-root If the servers and signing keys get compromised then yes of course.

      Devices running GrapheneOS place no trust in the update servers. The device won't take an update over the network or via adb sideload unless it's properly signed, or unless a fairly shocking vulnerability is discovered.

      If the signing keys are compromised, or a fairly shocking vulnerability is discovered in the signature-checking process, then GrapheneOS devices are vulnerable. But the same is true in any signed-code ecosystem: Apple devices are vulnerable if Apple's signing keys are compromised; Pixel devices running Google's OS are vulnerable if Google's signing keys are compromised; devices running Microsoft Windows are vulnerable if Microsoft signing keys are compromised...

      At some point one must either build one's own computing infrastructure starting from melting sand to get the silicon, or one must place some trust in somebody.

      P.S. Code-signing ecosystems are tricky. For example: "How a Microsoft blunder opened millions of PCs to potent malware attacks"

        GrapheneOS devs probably use air gapped computers with strong encryption for signing the updates. Even if the servers are compromised, no malicious update could pass full verified boot

        Lavabit founder shut down his company rather than giving a backdoor access to the US gov. I believe Daniel Micay and the other lead developers of grapheneOS would do the same to protect users.

        GrapheneOS is much more than a security focused android operating system, it's a long fight against shit like Pegasus, the NSA, Cellebrite, XRY, Google, millions of companies around the world violating the fundamental right of human to have privacy by collecting a vast amount of data every day, every hours, every seconds so threats are not a big concern for the devs

        Velocity9490 lol he wiped his hard drive.

        This tells not much about his key hygene, not saying they are insecurely stored.