• [deleted]

  • Edited

Okay, my question is, assuming a threat actor is able to gain hardware level system access to the device (As an example, let's say, through the recent baseband exploit), is it theoretically possible for them to plant malware that would persist through a full re-flash of grapheneos OR stock OS? Is there any malware that can persist through that?

Thanks

  • [deleted]

Blastoidea I always HOPED that a re-flash would nuke anything like that, but I thought of how sometimes on computers there have been malware that is planted in a hardware component like the motherboard or HDD. I have no idea if that's something feasible to happen on a phone too?

    [deleted] You're talking about something like an MBR virus? Those are EASILY cleared by zero'ing out the disk, which is something that a lot of people didn't do when infected (back when this type of malware was common).

    The boot sequence on a phone is more robust than on an old 8086 desktop. Each stage of the boot is cryptographically verified prior to execution, so if something in some stage is modified, then the prior stage will refuse to boot it.

    It is technically possible (using some exploit) for malware to inject a modification into the kernel layer (boot.img) or higher (system.img, etc.), but doing so would also require injection of custom verified signing keys, so if the worst possible thing happens, clearing the avb_custom_key partition would solve the problem. GrapheneOS wipes this and installs its own key there during installation, so a complete reinstallation would eliminate any potential persistent malware.

    Google doesn't use a custom key there, so running "fastboot erase avb_custom_key" and a full reinstall would work for factory image.

    Theoretically, there is probably some component on the phone that has its own firmware that could be infected with malware. However, part of GOS's security appeal is that it uses and does not break verified boot, so many rootkits would be detected or prevented.

    As with regular computers, if an attacker can poison the lowest level of firmware then that is game over, except for the few people that can tear open the device and manually flash directly to the chips. Everyone else that relies on the (potentially poisoned) firmware to update itself are out of luck. Or, for example, threat actors have poisoned the firmware of the storage devices (e.g., SSDs).

    If you're looking for a 100% it cannot happen then that's not possible. If you're concerned about threat actors with this level of sophistication then any suspect devices should just be replaced, not re-flashed.