• [deleted]

Assuming a threat actor has full physical control/unlocked bootloader etc on a pixel 6+ device, how advanced would they need to be in order to modify / inject malicious firmware/rootkit/malware into a pixel, that wouldn't be remedied by re-flashing the stock OS then GrapheneOS? Is this something that's publicly known to be done?

Context: Buying a used pixel 6+ and re-flashing stock OS then GrapheneOS to remove any potential persistent malicious firmware/rootkit/malware

    • [deleted]

    GrapheneOS Thanks for the link, great read!

    If I'm understanding correctly then, if a pixel running stock OR GrapheneOS had been affected by the recent baseband exploit for 6&7's, it would have only persisted until the phone was rebooted correct and would need to be exploited again after reboot? Unless there was a seperate exploit to infect firmware or the OS, but then in that case it shouldn't boot and re-flashing should clean it right?

    Thanks

      [deleted]

      [deleted] if a pixel running stock OR GrapheneOS had been affected by the recent baseband exploit for 6&7's, it would have only persisted until the phone was rebooted correct and would need to be exploited again after reboot?

      Not if. All pixel 6/7 have this hardware vulnerability baked in.
      In a phone with no updates or patches that was actively being exploited through this vulnerability. Then a reboot would not solve anything.

      Just to add, this specific exploit is/was state actor level or at least highly sophisticated, targeted attack. Not something the teenager next door would have ever have access.

        • [deleted]

        • Edited

        Chalko How can the phone still boot if there is persistent modifications like that? I thought that was the point of Verified Boot? Would a re-flash fix it in that case?

        EDIT: I guess what I'm getting at, is there anything that is publicly known to be possible, that could persist AFTER full flash + bootloader lock

          [deleted] How can the phone still boot if there is persistent modifications like that? I thought that was the point of Verified Boot? Would a re-flash fix it in that case?

          There was no modification. They were designed like this, with this flaw. An open door in the hardware.

          Maybe an attacker session would reset after reboot. The bootloader restore everything. But the hardware flaw still exist and the attacker still know where the open door is.

          There could be none or hundreds of exploits and vulnerabilities that no one knows about or those that know keep it secret. Either for malicious purposes or to fix it as soon as possible before they become public.

          Edit: In the baseband case it was particularly damaging because an attacker would only need to know your phone number. So it got the attention of everyone.

          But if you were to read security updates there are many similar things that are being patched or fixed everyday.

            • [deleted]

            Chalko I guess by modification I meant whatever changes they had to make in order for their exploit to persist after reboot, since verified boot checks that all the firmware is genuine

            • [deleted]

            • Edited

            @GrapheneOS Chalko Do you think once one of these exploits is successful that a re flash + lock would fully remedy it?

            [deleted] You're understanding correctly. They would need additional exploits to escape from the isolated baseband by exploiting the OS and would need a verified boot exploit to persist their access through a reboot without needing to remotely exploit the device again. Please note we shipped the available patches for those issues and they are not a special case but rather just the latest important firmware security updates.

              • [deleted]

              GrapheneOS Thanks!
              Would it make a difference if bootloader was unlocked + verified boot disabled at the time of the exploit? Would that allow them to do things that could render it ineffective later? I would imagine it would be irrelevant once it's locked and re-enabled again right?

                Its also worth mentioning that the recent GrapheneOS improvements to verified boot closed the door to some methods that could be used for exploit persistence

                https://grapheneos.org/releases#2023020200

                Also that GrapheneOS Auditor can be very useful in detecting the common method of gaining persistence via a malicious app which is set up with the powerful privileges of acting as an Accessibility Service or a Device Admin app when the device is exploited.

                [deleted] yes, verified boot verifies what software/firmware is present during the boot process. Flashing GrapheneOS makes you have completely identical operating system and all component firmware as everyone else with that device on that release.

                  • [deleted]

                  • Edited

                  dazinism Thank you that's a relief. I want to take advantage of the great value of used Pixels but I've always been weary of either the previous owner or someone who previously exploited the device in the past having access to the phone. But it sounds like verified boot solves just that particular situation.