Does desktop mode have any security issues?

de0u

gra123d Can an evil smart monitor read the contents of Downloads folder then?

It is very unlikely but theoretically possible. I would trust monitors more that are made by large companies with important reputations.

gra123d I imagine GrapheneOS team would have considered desktop mode a vulnerable feature if that were the case... or maybe it is an understood trade-off?

At present it's in Developer Options, which have zero expectation of safety.

When Google actually ships it for users, presumably they will have spent some time on it being reasonably secure. The GrapheneOS team may look through the code... but keep in mind that many users will want to use it right away, unless it were widely known to have serious holes -- and some people would use it anyway!

Given the complexity of the USB protocol stack, and the things that run on top of it, plugging anything into the USB port poses some risk. Also, turning Wi-Fi on, or turning the cellular modem on, or downloading an app, all pose some risk.

gra123d (Perhaps GrapheneOS mod will have a definitive answer to this)

There isn't one. Since the code hasn't shipped yet, it hasn't been exploited yet, so it can't be definitively unsafe. Given present security technology, nothing that complex can be definitively safe.

Plugging a Pixel into a "dumb" monitor should be pretty safe. Plugging a Pixel into an Internet-connected "smart TV" made by a company with a reputation for spying on users is probably less safe.

fid03

gra123d I would like to try the "desktop mode" on Pixel 8 mostly for screen mirroring.

de0u At present it's in Developer Options, which have zero expectation of safety.

Please note that screen mirroring is a default feature and does not require Developer options. You plug the phone into a compatible display, a dialog is displayed asking if you'd like to mirror the screen, you allow it or you dismiss it. The more "advanced" version of "desktop mode" is indeed hidden behind developer options.

de0u

fid03 Thanks for the correction!

Still, those with a high threat level may wish to avoid "smart TVs". A web search for tv spyware will likely turn up names of companies and some past behaviors. "ACR" is just the tip of the iceberg.

gra123d

fid03 note that screen mirroring is a default feature and does not require Developer options

de0u those with a high threat level may wish to avoid "smart TVs"

Thank you @de0u and @fid03, this is exactly what my concern is, a feature being default(screen mirroring for now) yet its security implications being unknown/not-discussed.

Hopefully someone from Google or GrapheneOS gives a definitive answer to this once desktop mode rolls out in full form. At worst their response might be to treat external displays similar to how we treat USB or computer connection for file transfer.

Ilgar

Interesting topic.

Hope it's possible use desktop experience without sacrifying security.

de0u

Ilgar Hope it's possible use desktop experience without sacrifying security.

The source code hasn't been available for very long. Now that it's out, presumably over time security researchers will take a look at it (including, I suspect, security researchers who work for attackers).

Connecting a Pixel to a standard computer monitor from a reputable brand is probably much less risky than connecting a Pixel to a "smart TV", especially a "smart TV" connected to the Internet that is from a brand with a history of security bugs and/or surveillance.

Ilgar

de0u I don't trust reputable brands either since my treat model is considering state actors as adversary.

de0u

Ilgar I don't trust reputable brands either since my [threat] model is considering state actors as adversary.

That sounds as if it might potentially preclude using Wi-Fi, cellular, or Bluetooth, since a state actor might point a directional antenna at your device.

If it is believed that the large bodies of code used for those networks are trustworthy to some extent given their maturity, then perhaps after some years you might decide to place similar trust in the code associated with DisplayPort Alt Mode.

Ilgar

de0u I mean there is an option to disable usb functionality in GOS for a reason, and the reason is physical access via data lanes. And also I didn't mean targeted attack of adversary with sophisticated resources but global surveillance attack via consumer products backdoors.

inomfood

gra123d yes, that's definitely possible. I use my steam deck while traveling to watch Formula 1 and I'll plug it into whatever TV is around. About half the time I will start getting advertisements for "F1TV app on Roku" or similar overlaid on my HDMI content, meaning Roku or whoever makes the TV is actively scanning what's on the screen and at the very least using it to push advertisements.

kopolee11

You could also consider using a Pixel Tablet. It has access to desktop mode natively, without needing to connect with another monitor, thereby not having to worry about the monitor as an attack vector.

You'll still likely want to use a keyboard and mouse, which opens up some vulnerabilities but that would be the case with a phone too. And of course the Pixel Tablet is an older device, with only 2.5 years of guaranteed support and missing security features (most prominently memory tagging). Still an option to consider.

Ilgar

kopolee11 it has g2 tensor without mte

Carlos-Anso

If you are worried about this can use a hardware adaptor to change from USB to some video interface - HDMI, Display Port, VGA, DVI-D (depending on what is available on the display and what you feel happy to use) - and avoid connecting usb directly to the display

Ilgar

Carlos-Anso modern, small (maximum 12-13" display for good ppi), eink or rlcd display has only usb-c, hdmi or dp and all of them have data lanes

de0u

Ilgar modern, small (maximum 12-13" display for good ppi), eink or rlcd display has only usb-c, hdmi or dp and all of them have data lanes

Agreed, but if they are "just a monitor", not Internet-connected, the risk is arguably lower.

TrustExecutor

Ilgar
It can probably be mitigated by connecting an adapter or dock that only provide media, not data.

Ilgar

TrustExecutor

usb-c, hdmi or dp and all of them have data lanes

I'm not sure if dock can separate media from data and then I put trust in dock.

de0u
indeed lower, especially if you buy display offline (can't be target modified while delivery), still there's a risk of compromising GOS security. Same to headphones with DAC. maybe there should be setting that allows only media access that is sufficient for audio and video while in only charging usb mode?

other way to think about it: you connect gos to offline display and it makes copy of your files (backdoor for usb exploit of gos in first scenario aside) and when you sell display or someone connects it to insecure os adversary fetches files from gos device

de0u

Ilgar indeed lower, especially if you buy display offline (can't be target modified while delivery), still there's a risk of compromising GOS security. Same to headphones with DAC.

Indeed. Because USB-C is very complicated, plugging anything into the USB-C port has risks.

Ilgar maybe there should be setting that allows only media access that is sufficient for audio and video while in only charging usb mode?

If there were a method for ensuring safety of "just audio and video", then that method would probably work for everything else (keyboards, mice, storage devices, Ethernet dongles, ...). At present there isn't such a method. Charging is complex enough, but it's simpler than basically everything else.