Remote Erase If I Lose Graphenos

Sebas33

Hello everyone, I have a question, is there a way to remotely delete a lost cell phone with graphenes?

DeletedUser69

Sebas33 why would you want to delete it if you can't find it and you use strong encryption?

GrapheneOS

Sebas33 You can grant an app the special wipe permission that's part of the device admin feature. Remote wipe doesn't won't work well as a concept because it requires that the device still has network access. Most of these apps also aren't smart enough to implement Direct Boot support to work in the Before First Unlock state which the device will get back to automatically via the auto-reboot feature. Auto-reboot is a very good thing and should not be disabled. It's possible for apps to implement Direct Boot support to work Before First Unlock in a limited way but few do. We can't recommend any apps for this, but they exist.

Sebas33

DeletedUser69

DeletedUser69 to avoid in the worst case that they can enter the device either by a pin unlock etc

DeletedUser69

Sebas33 then you should start using strong encryption, chances are you won't see your phone again. Two kinds of users annoy me, overconfident tinkerers and lazy privacy enthusiasts.

danishgraphene

DeletedUser69 Isn't it a valid question after all when time passes, and the phone isn't updated, a vulnerability can be found? Like CVE-2022-20465 which enabled bypassing lock screen.

BuffaloStance

DeletedUser69 Two kinds of users annoy me, overconfident tinkerers and lazy privacy enthusiasts.

Cool story? I don't feel that @Sebas33 should be painted as either of these "kinds of users that annoy you" for merely suggesting as they did. This is a public forum for users to share, learn and discuss GOS, after all. As such, I appreciate the thoughtful/helpful/official response from GOS on the matter.

DeletedUser69

danishgraphene if you asked me what would I rather, danish blue or MitID, without a moment's pause it would be danish blue because that doesn't require Google Play Services. By the way the CVE is over 2 years old so any newer device will have mitigated it.

GrapheneOS

danishgraphene

Isn't it a valid question after all when time passes, and the phone isn't updated, a vulnerability can be found? Like CVE-2022-20465 which enabled bypassing lock screen.

That didn't work in the Before First Unlock state, which the auto-reboot feature gets the device back back to automatically. It was also fixed early in GrapheneOS. If time passes, the device will be in Before First Unlock and data will be at rest. Vulnerabilities in the OS won't provide access to data stored in profiles, only the small amount of device encrypted data. There will be a toggle to make all data credential encrypted with a boot password prompt though.

Remote erase won't work if an attacker doesn't allow the phone to contact cellular via a faraday bag or similar setup. If you have a physical SIM they can simply remove it. You're talking about an attacker exploiting the device but yet not taking basic measures to stop it being remote wiped.