DeletedUser88 Will Auditor detect anything wrong if it was set up after this theoretical compromise has already taken place?
Software compromises (rootkits) shouldn't persist across Verified reboots.
And of course, you'd want to factory reset to make sure anything that was installed to non-measured / non-Verified (at boot) parts to the OS (like apps) is blackholed.
From what I can tell, if you suspect hardware compromises, then it is game over for that device.
This ^^^.
EU citizen. I don't like carrying electronics through customs, especially US, UK and AU customs. Phones and laptops have been searched by all three listed. It is not that the content is illegal. 34 white woman... I don't fit the demographics for child porn or terrorism. The content is simply private and proprietary and not for random dissemination. Loosing control of my devices they may as well be bricked so I prefer to leave electronics at home and pick up replacements at my destination.
I assume if there is a persistent compromise while the Pixel is on Stock OS then the device will fail to boot as well due to verified boot?
DeletedUser88 Verified boot prevents modifying the firmware or OS images without a sophisticated exploit to bypass verified boot for either the firmware or OS. It also prevents downgrading the firmware past a rollback version upgrade or downgrading the OS past a security patch level upgrade since that's used as the rollback version for the OS and gets incremented every month with each stock OS release in practice, other than a rare case they might do a YYYY-MM-05 security patch level release prior to a quarterly/yearly update with the same patch level later in the month. The hardware keystore rollback protection takes OS version into account though.
An sophisticated exploit of verified boot of the OS could allow surviving factory reset from recovery but not flashing from fastboot mode. Surviving flashing the firmware/OS would require replacing fastboot mode with their own, implying having a lower-level verified boot exploit not only an exploit for OS verified boot performed by the firmware for the core OS and by the OS itself for the rest of the OS.
This is theoretically possible but not something that is particularly likely to have even been developed to work against the stock Pixel OS in practice. How often do regular users even factory reset, let alone reflashing the OS from fastboot mode? It's an incredibly niche purpose for an exploit and it's much harder to develop than a local privilege escalation exploit for the OS. It's also probably harder to develop than a remote code execution exploit in most cases. They would need to find vulnerabilities in a far smaller amount of code which can be triggered while the device boots and verifies the early firmware and later OS images. It's even quite feasible that there are not vulnerabilities to exploit without physical tampering, unlike the massive attack surface of browsers and the OS. Most of the vulnerabilities in this niche would be a failure to implement the basics of verified boot properly rather than a typical memory corruption bug since there's so little attack surface. It's quite possible there are vulnerabilities but it's such a small amount of attack surface exposed by persistent state to the early firmware and OS while verifying.
We've removed the completely unsubstantiated claims of a device running the stock Pixel OS being compromised in an incredibly deep way which bypassed verified boot through exploiting the early firmware verification process. No evidence of it has been provided or even an explanation of why the person believes their device is compromised. If they're being targeted with such sophisticated exploits, why are they aware of the device being compromised in the first place? How do they know it's happening? Many people come to us claiming their device was compromised and it turns out they lack any reason to think that and simply have a strong believe nearly any device they use is compromised based on running into things like minor UI bugs or higher battery drain than they expect. There are people actually being targeted with exploits but they would not typically be aware of it unless features caught the exploit happening or found signs of a payload reused to target many people with flaws allowing it to be detected.
GrapheneOS Thank you for your answer. Would such a low-level verified boot exploit fail an Auditor attestation if Auditor was set up before the compromise? What about if Auditor was set up after the compromise?
DeletedUser88
Bluntly, if that level of exploit is used against you or a reasonable threat given your threat model then you are a direct national security target of a major nation.
In which case, no one can realistically make any real promises and you likely have the resources to just burn that phone and get another.
As a practical matter, a factory reset will take care of anything you actually have to worry about.
JollyRancher Bluntly, if that level of exploit is used against you or a reasonable threat given your threat model then you are a direct national security target of a major nation.
Oh such a compromise is definitely not within my threat model. Would like an answer for the sake of information is all.
JollyRancher As a practical matter, a factory reset will take care of anything you actually have to worry about.
What about the installing of hardware beacons that a former whistleblower warned certain countries do:
https://www.businessinsider.com/nsa-tao-intercepting-packages-2014-5
Journalists, diplomats and high profile individuals sometimes need to hand over their phones for a length of time when covering sensitive topics. This might be a silly question, but I don't suppose there's an app that scans if a beacon or some fishy non-Pixel hardware chip has been installed?
K8y
No software solution will detect that. Power draw is basically always variable enough, and those devices low power enough, that you aren't going to detect the tampering without a physical examination.
GrapheneOS replacing fastboot mode with their own
Would Verified Boot catch / detect the replaced fastboot image (or recovery image for that matter) and warn?
GrapheneOS quite feasible that there are not vulnerabilities to exploit without physical tampering
Interesting. Anyone aware of any form of publicly known physical tampering that has broken Verified Boot? Curious since the RoT/RoV are required to be "tamper resistant" and so the tampering must happen elsewhere?
GrapheneOS Most of the vulnerabilities in this niche would be a failure to implement the basics of verified boot properly rather than a typical memory corruption bug since there's so little attack surface
Unsure if what Christopher Wade demonstrated (not on Pixels) at DEFCON 31 qualifies, but it was pretty impressive to see: https://youtu.be/31xrNuH1RV4 / https://ghostarchive.org/varchive/31xrNuH1RV4
GrapheneOS why is the factory reset more extensive on the boot menu compared to the factory reset through the OS?
System crash report notification may indicate an exploit attempt on GrapheneOS. It will report some kinds of crashes.
dasaint100
An exploited OS can feign a factory reset that is initiated from within the OS
