Hi,
I'd like to have the entire Security tab being only accessible with password/pin, like it is with adding fingerprint setting.
The point is to protect the auto-reboot and USB restrictions from being altered if a fingerprint is compromised.
Hi,
I'd like to have the entire Security tab being only accessible with password/pin, like it is with adding fingerprint setting.
The point is to protect the auto-reboot and USB restrictions from being altered if a fingerprint is compromised.
To my understanding, the developers of GrapheneOS are exploring a solution that would allow for the use of both fingerprint and pin authentication in the AFU state. If I have understood your concern correctly, this would implicitly address your feature request.
Vogelhaus Thank you, I'm aware of that. However, it would be nice to have extra protection of Security related settings regardless of whether 2FA is enabled or not.
I am attempting to understand the potential advantages of this approach. If an individual possesses both your fingerprint and PIN, assuming two-factor authentication (2FA) is active, would it not be a simple task for them to surpass the safeguarded Settings PIN? Furthermore, what benefits would one gain if an unauthorized party has already breached your phone's security to the extent that they can access the Settings Menu? Please note that I am not implying your request lacks validity; rather, I am attempting to gain a better understanding of the scenario at hand.
Vogelhaus An individual doesn't need to acquire the PIN nor the fingerprint in order to bypass the lock screen when the device is in AFU mode as seen in the most recent lock screen bypass exploit (CVE-2022-20465).
Bypassing the lock screen because of a logical error doesn't imply that the settings security tab is vulnerable to the same exploit. So 2FA wouldn't solve the issue in that case. I'm not sure how this exploit theoretically would have had an effect on 2FA it it were implemented by GrapheneOS. Maybe it would have gotten caught somewhere during execution.
@dc32f0cfe84def651e0e
But to be honest I don't see the sense in protecting the security tab in the settings as well.
Let's say an individual unlocks your phone. So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings). Who cares about the settings and turning auto reboot off or allowing USB peripherals? Just download the data and goodbye. No one is interested in changing any settings. What for?
Vogelhaus That's ok :)
Let's imagine a case when both password/pin and biometrics are configured, but only one of them is sufficient to unlock the device. The goal is to engage additional countermeasures in case fingerprints are compromised or have been applied forcibly, so the attacker still has limited access and limited timeframe to tamper with the device in AFU state.
dc32f0cfe84def651e0e They don't have limited time to tamper with the device. They have unlimited time since auto reboot only applies when the device hasn't been unlocked. But it has been unlocked since the attacker has unlocked it...
UpStream So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings). Who cares about the settings and turning auto reboot off or allowing USB peripherals?
The Owner profile is only for calls/sms and navigation, also other nothing-to-hide daily activities. Whereas messengers and banking apps reside in separate profiles and are being used rarely and within physical security.
UpStream Oops, forgot it. I only use GOS for less than a month, sorry.
Anyway, there could be a switch requiring to reset the auto-reboot countdown explicitly regardless of the unlock :)
The reason I said "I think so" is because no other method of getting the device into a BFU state comes into my mind except rebooting which can be done manually or by using the auto reboot feature.
There's a lockdown mode. It disables biometrics and some other stuff but the only method to fully purge the encryption keys of the owner profile and put it at rest is a reboot since the owner profile encrypts some system-wide OS data so it doesn't put the phone in a BFU state either.
When in danger just reboot. It's a quick action and if you still don't manage to do it the auto reboot feature if set has got your back.
UpStream When in danger just reboot. It's a quick action and if you still don't manage to do it the auto reboot feature if set has got your back.
This action may not be available when caught off-guard.
dc32f0cfe84def651e0e If you press on "End session" in your secondary user profile the encryption keys are completely purged.
UpStream An individual doesn't need to acquire the PIN nor the fingerprint in order to bypass the lock screen when the device is in AFU mode as seen in the most recent lock screen bypass exploit (CVE-2022-20465).
That vulnerability was patched quickly. One of the best things about GrapheneOS, is they don't delay security patches.
UpStream But to be honest I don't see the sense in protecting the security tab in the settings as well.
Let's say an individual unlocks your phone. So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings)
There are different threat models at play. It's not just about stealing the current data available.
Persistence is a very important concept in security. The PIN/Password is required for adding a new fingerprint, is for this reason. There are other things within the Security Menu (More security settings), that do not prompt for PIN/Password.
Device Admin apps and Trust Agents are two major things.
Again, it is not only about stealing the current data available.
With only a minute an attacker can... Install a malicious app, make it Device Admin, grant it special permissions and the victim/owner now has spyware on their phone.
Screen lock camera access is also under the security menu, which could be abused.
Installing certificates is a major attack vector. That one seems to be protected just by re-authing with a fingerprint.
It would be nice to have the option for additional auth factors for these sensitive settings.
I am new to GOS. I am VERY interested in following this thread. Everyone has voiced senarios for all kinds of attacks which I want to avoid. I have allowed an attacker into my devices once before....8 phones, 2 IPads, 3 service providers later I have landed here. (All in 18 months).
Vogelhaus If an individual possesses both your fingerprint and PIN, assuming two-factor authentication (2FA) is active, would it not be a simple task for them to surpass the safeguarded Settings PIN?
-On the second point you are right tho if the system is already breached "securing" these options are not providing any more security.