USB-C port: Charging-only. How much security does it actually provide?

ProfessorMonks

Hi everyone

I have a query about enabling the Charging-only option in USB-C port in the exploit protection area. How much protection does it provide in the event that a specialist data extraction company such as Cellebrite attempts to extract an up-to-date GOS device, after first unlock (AFU)?
Screenshot: https://ibb.co/XZBT4Ks3

A device is decrypted AFU but the device is in locked state (pin/pattern/password needs to be entered), does the Charging-only feature stop them gaining access or running commands? In this example, developer settings and ADB are disabled. Without being able to connect to the device, how else would a company extract data even if it is AFU?

GOS has said that the Charging-only feature disables it at software and hardware level.

Thank you

GrapheneOS

ProfessorMonks The default is already charging-only while locked. There isn't much benefit to charging-only over charging-only while locked for the described threat model. The purpose of that stricter mode is more so that you don't expose USB-C data as attack surface when charging while using the device such as a computer that's compromised or malicious charger trying to exploit it.

JollyRancher

To do anything to a device, you have to interact with it.

The ways to interact with a Pixel smartphone are the touch screen, the power & volume buttons, the USB-C port, Bluetooth, WiFi, and the cellular modem.

All of the professional data extraction tools use the USB-C port to do their interacting, so setting it to charging only essentially ends their ability to attack the device right there.

Maybe, if they could get the phone into a lab before the reset window (18 hours by default), they could manage some kind of direct hardware interface to bypass the USB port being blocked. I don't know enough about the possibilities in that space to have a credible opinion on viability.

As a practical matter though, unless you are facing a very well resourced threat actor who knows you are running GOS and has already prepared in advance of seizing your phone, bureaucracy and logistical considerations will get you passed the reset time window so it will be BFU.

Realistically, law enforcement seizes your phone. Then they need to get that phone back to the station, entered into the system as evidence, and transported to the technical unit. If they haven't already done so then (in the US at least, your mileage may vary in other jurisdictions) they need to get a warrant to extract your phone. Then, once they have the warrant, the technical specialist needs to get around to attempting the extraction. Then, having realized that Cellebrite isn't working they likely contact them asking for advice. Then comes contacting a specialized lab to attempt more exotic methods of extraction. Absent an existing relationship that means contract negotiations and getting the expense approved (such work has a price tag in the tens of thousands of dollars). Then comes transporting the phone to them.

The 18 hour window can get used up very fast. If its a serious concern, lowering it down to a few hours is perfectly viable and would make any such attack a practical impossibility.

ProfessorMonks

Thank you for your insightful response, you have pretty much answered my query.

Personally, I have a 12 hour reset timer set. Unfortunately, 8 hours is slightly too short as I tend to oversleep and wake up to a reset phone which means I need to enter a tediously long entry to unlock my device.

oci3o

For 99% of us, this should be seen as a nice to have, potentially for some an annoyance.

For us Normie's who's threat model isn't a govt entity or some highly resourced group, this could be used against theft (if a thief has some understanding on resetting a phone to sell it) or protecting against rogue power outlets in places like airports for example.

Its a high security tool, but nice to have for us Normie's just in case for less sophisticated threats.