Gr4 I understand your recommendation to update the stock OS first before flashing from a potentially compromised PC. But under a threat model where such a measure would be necessary, can we really trust the stock OS to nicely update itself and the firmware given 2 years of RCEs and EOPs requiring no user interaction (now patched unless your device has been sitting in a box up till now)?
Almost certainly yes.
If an old Pixel has been sitting on a shelf for two years, and the software on it includes some RCE vulnerabilities, it isn't as if those vulnerabilities will actively invite malware into the device as soon as it's turned on. Each RCE vulnerability must be actively exploited by a program running somewhere that engages that specific device in a conversation designed to fit that particular vulnerability.
If the RCE is in the cellular firmware, somebody needs a way to corrupt a cell site, unless the RCE is exploitable over SS7 or something like that. And the malicious actor needs to detect and target the device and run the exploit to completion before the stock OS can finish downloading the update. If the RCE is in the Wi-Fi stack, somebody needs a way to corrupt a Wi-Fi access point -- and, again, detect and target the device and run the exploit before the stock OS can finish downloading the update. Though this is theoretically possible, it is not easy, and it's a lot harder than how well-resourced actors typically get into devices (often by exploiting some large complicated app that a user runs for months at a time). This is the sort of thing that a medium-powerful nation state might be able to pull off, but only against a small number of targeted individuals. In part this is because it is very impractical for a malicious actor to compromise every cellular site, or every Wi-Fi access point, even in a fairly small area. A somewhat-concerned user can make the job much harder by just going to a randomly-selected place, using a previously-unused SIM from a randomly-selected carrier, etc.
If you personally have reason to believe that you are targeted by a medium-powerful state actor, then arguably instead of posting here about unboxing a two-year-old device the thing to is to hire a professional security consultant to discuss options for doing that -- or doing something different.
Gr4 Or do we have to only rely on an outdated AVB/bootloader (sorry for any error) to be able to resist anyways ? For exemple, there is a pixel bootloader EOP and a secure element vulnerability in the september Pixel security bulletin.
Based on previous posts in another thread, the alternative being considered to letting the device update itself over the air is flashing a newer OS from a machine that is believed to be compromised. I doubt any security professional would recommend that approach. If the only options are letting the device update itself over the air versus flashing it from a believed-compromised device, I suspect a competent expert would suggest letting the device update itself over the air.
But those are not the sole options. As discussed in the other thread, it is also possible to borrow or rent a device which is unlikely to be compromised. Two particularly-trustworthy options were suggested: any modern Mac, and a modern Chromebook.
Gr4 Since I lack the skills to properly understand a CVE report, these (as well as the RCEs and EOPs I mentionned earlier) probably don't mean what I think they mean but I can't help but worry.
It is fine to worry for some period of time, but at some point it will be necessary to bring the worrying phase to a close and to choose some action over the others. After a point, more worrying is not likely to result in a better solution to this problem.
Personally, given the described situation (old firmware on a Pixel, untrusted laptop) I would recommend:
- Go to an unpredictable public Wi-Fi network more than five miles away from your home, where a "more corporate" network is probably better, e.g., a large public library, or a large chain restaurant or coffee shop; enable airplane mode; turn Wi-Fi on; connect to the local Wi-Fi network while the system downloads the update; turn Wi-Fi off while the system finalizes the update and reboots; then turn the device off.
- Borrow or rent a MacBook or a Chromebook, use the web installer.
- I think the least-attractive option would be installing onto a device with old firmware from a machine that is believed to be compromised.
Note that none of those options is certain. But that's because nothing is certain. If the Pixel device has the very-latest firmware and is running the very-latest version of GrapheneOS, it will nonetheless contain RCEs. At present there is no way to get a guaranteed-secure device, so it is not prudent to invest unbounded energy attempting to get one.