• Development
  • Protect the Security settings with password/PIN

Hi,

I'd like to have the entire Security tab being only accessible with password/pin, like it is with adding fingerprint setting.

The point is to protect the auto-reboot and USB restrictions from being altered if a fingerprint is compromised.

To my understanding, the developers of GrapheneOS are exploring a solution that would allow for the use of both fingerprint and pin authentication in the AFU state. If I have understood your concern correctly, this would implicitly address your feature request.

    Vogelhaus Thank you, I'm aware of that. However, it would be nice to have extra protection of Security related settings regardless of whether 2FA is enabled or not.

    I am attempting to understand the potential advantages of this approach. If an individual possesses both your fingerprint and PIN, assuming two-factor authentication (2FA) is active, would it not be a simple task for them to surpass the safeguarded Settings PIN? Furthermore, what benefits would one gain if an unauthorized party has already breached your phone's security to the extent that they can access the Settings Menu? Please note that I am not implying your request lacks validity; rather, I am attempting to gain a better understanding of the scenario at hand.

      Vogelhaus An individual doesn't need to acquire the PIN nor the fingerprint in order to bypass the lock screen when the device is in AFU mode as seen in the most recent lock screen bypass exploit (CVE-2022-20465).
      Bypassing the lock screen because of a logical error doesn't imply that the settings security tab is vulnerable to the same exploit. So 2FA wouldn't solve the issue in that case. I'm not sure how this exploit theoretically would have had an effect on 2FA it it were implemented by GrapheneOS. Maybe it would have gotten caught somewhere during execution.

      @dc32f0cfe84def651e0e
      But to be honest I don't see the sense in protecting the security tab in the settings as well.

      Let's say an individual unlocks your phone. So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings). Who cares about the settings and turning auto reboot off or allowing USB peripherals? Just download the data and goodbye. No one is interested in changing any settings. What for?

        Vogelhaus That's ok :)

        Let's imagine a case when both password/pin and biometrics are configured, but only one of them is sufficient to unlock the device. The goal is to engage additional countermeasures in case fingerprints are compromised or have been applied forcibly, so the attacker still has limited access and limited timeframe to tamper with the device in AFU state.

          UpStream So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings). Who cares about the settings and turning auto reboot off or allowing USB peripherals?

          The Owner profile is only for calls/sms and navigation, also other nothing-to-hide daily activities. Whereas messengers and banking apps reside in separate profiles and are being used rarely and within physical security.

            Anyway, there could be a switch requiring to reset the auto-reboot countdown explicitly regardless of the unlock :)

            UpStream

            Thank you for bringing up that CVE. Considering that an AFU phone is always at risk of being exploited, wouldn't the only viable countermeasure be to set the auto-reboot setting to the lowest possible interval that is tolerable for an individual user?

              The reason I said "I think so" is because no other method of getting the device into a BFU state comes into my mind except rebooting which can be done manually or by using the auto reboot feature.

              There's a lockdown mode. It disables biometrics and some other stuff but the only method to fully purge the encryption keys of the owner profile and put it at rest is a reboot since the owner profile encrypts some system-wide OS data so it doesn't put the phone in a BFU state either.

              When in danger just reboot. It's a quick action and if you still don't manage to do it the auto reboot feature if set has got your back.

                UpStream When in danger just reboot. It's a quick action and if you still don't manage to do it the auto reboot feature if set has got your back.

                This action may not be available when caught off-guard.

                UpStream An individual doesn't need to acquire the PIN nor the fingerprint in order to bypass the lock screen when the device is in AFU mode as seen in the most recent lock screen bypass exploit (CVE-2022-20465).

                That vulnerability was patched quickly. One of the best things about GrapheneOS, is they don't delay security patches.

                UpStream But to be honest I don't see the sense in protecting the security tab in the settings as well.

                Let's say an individual unlocks your phone. So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings)

                There are different threat models at play. It's not just about stealing the current data available.
                Persistence is a very important concept in security. The PIN/Password is required for adding a new fingerprint, is for this reason. There are other things within the Security Menu (More security settings), that do not prompt for PIN/Password.
                Device Admin apps and Trust Agents are two major things.

                Again, it is not only about stealing the current data available.
                With only a minute an attacker can... Install a malicious app, make it Device Admin, grant it special permissions and the victim/owner now has spyware on their phone.

                Screen lock camera access is also under the security menu, which could be abused.
                Installing certificates is a major attack vector. That one seems to be protected just by re-authing with a fingerprint.

                It would be nice to have the option for additional auth factors for these sensitive settings.

                  Graphite Screen lock camera access is also under the security menu, which could be abused

                  Hi what is the risk with this? I use this feature all the time with google camera and network permissions disabled

                    L8437

                    I haven't tried, but maybe spyware in combination with an app with accessibility and device admin.

                    10 months later

                    I am new to GOS. I am VERY interested in following this thread. Everyone has voiced senarios for all kinds of attacks which I want to avoid. I have allowed an attacker into my devices once before....8 phones, 2 IPads, 3 service providers later I have landed here. (All in 18 months).

                    • [deleted]

                    Vogelhaus

                    Vogelhaus If an individual possesses both your fingerprint and PIN, assuming two-factor authentication (2FA) is active, would it not be a simple task for them to surpass the safeguarded Settings PIN?

                    • You just assume something that heavy? Why would u assume that? Even possessing only the PIN is just really unlikely.

                    -On the second point you are right tho if the system is already breached "securing" these options are not providing any more security.