Flashing from untrusted PC (pot. compromised firmware)

amiralty

Regarding flashing from an untrusted PC, the install guide says:

"The verified boot and attestation features provided by the supported devices can be used to verify that the hardware, firmware and GrapheneOS installation are genuine. Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with these features."

Part of the above statement by the GrapheneOS team ('[...] it can be detected with these features.'), seems to me to allude to the fact that a compromise of the firmware is possible as GrapheneOS flashes firmware on install, but would be detectable. Or does this only affect the OS?

If there is a chance of a permanent low level firmware compromise through some kind of chain exploit, I would consider reflashing stock to the phone I have and getting a new one. I failed to properly take note/verify the grapheneOS url and the commands when installing it myself, which leads to me being unable to completely trust the flashed OS.

Say that the image and thus the flash all script were compromised, would any attacker be able to replace the lower levels of firmware like fastboot, "boot kernel"/ bios equivalent for android, or is this impossible by design?

Johnnyloans

amiralty

Get a bootable Linux USB. Boot into it. Flash GOS.
MD5 all files on the USB if you want

amiralty

Unfortunately, replacing the firmware and fastboot might be possible, according to the GrapheneOS account on the forum:

"A sophisticated exploit of verified boot of the OS could allow surviving factory reset from recovery but not flashing from fastboot mode. Surviving flashing the firmware/OS would require replacing fastboot mode with their own, implying having a lower-level verified boot exploit not only an exploit for OS verified boot performed by the firmware for the core OS and by the OS itself for the rest of the OS."

Anything can be exploited it seems :( Might need to get a new phone to restore safety at this point... but then again, using the same untrusted PC could land me in the same spot again. As I understand it right now, I do not see a safe way to flash GrapheneOS without trusting the PC.

amiralty

Johnnyloans Get a bootable Linux USB. Boot into it. Flash GOS.

Same problem in the end though. To create a bootable USB I need to trust the device I create it with. If the original creator of the bootable USB is not trusted, the bootable USB cannot be trusted either. Plus, with a bootable linux usb – unlike chromeOS or macOS - there is no verified boot and thus no way to verify if the boot image is unchanged.

Johnnyloans

amiralty

Compare the creation to a known list of file hashes

Md5 or sha256 etc

amiralty

Johnnyloans

I do not believe a linux USB is the most secure option, even with a hash comparison. Comparing the hashes would again necessitate trusting the party that calculates them. If the creator of the USB is compromised, you cannot trust it to calculate the hashes. Inserting the USB into another device could infect it as well.

After reading the guide again, I think another pixel with stock OS is the optimal way to be able to confidently flash gos and have some kind of guarantee of its authenticity. That only leaves the question, if I should 'trash' the phone I have and get a new one.

Johnnyloans

amiralty

That's a great option to use another pixel.

Viruses are not magical or have agency like a human would behind enemy lines--reacting to its changing surroundings and coming up with plans to survive and avoid detection.

A virus probably won't have a top tier exploit to intercept usb traffic and another exploit to interject hash calculations.

amiralty

I guess I should also mention that the site I followed the instructions from was more than likely the official grapheneOS website. Unless there exists a copy-cat website that has a similar design, build and url to the official one, I am confident that I did not stumble upon a fake.

Are there any such known copy-cats out there that deliberately target gos users?

amiralty

Johnnyloans Yeah, I guess I am just talking in hypotheticals.

Realistically speaking, the url I visited when I flashed the phone was the legit grapheneos.org website, the images were legit and the phone is ok.

Just the fact that I overlooked verifying the url "just to be sure", makes me question the whole process and theorize about a potential exploit having occurred.

There are no such signs of an exploit having occurred. To the contrary even: the website looked legit and the verified boot string matched.

I guess sometimes hyper-vigilance and being overly cautious and then overlooking a crucial element can lead to an "exaggeration of reality." I am in no way someone that should fear being targeted by such sophisticated exploits and in fact can't see any adversary being interested in my person.

The only way me being affected by an exploit could make sense is if there exists a copy-cat website of grapheneOS that I stumbled upon (typed url by hand), is not registered in google safe browsing, has a valid https certificate, has the time, resources and expertise as well as zero-days that is openly targeting anyone that tries installing grapheneOS.

So, realistically speaking, I do not believe that the phone was compromised. The thread was more of a way to assure myself and further reduce the "chance" of an exploit in my mind.