Hello,
does a re-flash over web-ui overwrite EVERYTHING? Is there a possibility for consistent malware to survive? Like commericial malware from NSO-like companies? What about the latest Samsung modem vulnerability? Is a shut down pixel with good password safe from all physical adversary?

Appreciate all input.
best,
Vik

    DVDVDV Is a shut down pixel with good password safe from all physical adversary?

    An adversary who can freeze the SOC with liquid nitrogen, grind the top off of the chip, use an electron microscope to read individual bits out of the secure element, and use a supercomputer, can probably brute-force even a medium-length PIN or non-long password.

    There is no magic device which is secure against all adversaries, thus Pixel devices aren't secure against all adversaries.

    Plus real devices, including Pixels, including the secure element, can and do have bugs.

    All of that said, given current knowledge a powered-off Pixel with a current OS and a good password is top-tier. "Rubber hose decryption" may be more feasible than breaking in.

      DVDVDV Lots of questions you have.
      There has to be an initial "boot" program when "flashing" GOS - and one of your questions concerns the security of that program and its file/script. I don't know; looking forward to the answer. (Guessing the new pixel hardware protects it well!?)

        thetraveller1 Cellular baseband firmware is updated by the OS and must have a valid signature. It has verified boot as with the rest of the firmware and the OS. Carriers do not provide the updates to it and do not have control over it. The cellular baseband is isolated from the OS like other radios. Cellular, Wi-Fi and Bluetooth are implemented in a similar way. It's a misconception that cellular basebands are significantly different from Wi-Fi/Bluetooth basebands, and in fact on Snapdragon devices they're the same isolated component with internal sandboxing for the different radio processes.

        de0u The secure element is not part of the SoC and does not simply store data unencrypted on regular flash memory. If you have a strong random passphrase, then you aren't depending on the secure element for security against brute force. If you have a 6 digit random PIN, you depend on it entirely.

          DVDVDV Booting up recovery and performing a factory reset is enough to remove all of the operating system's persistent state. Please read https://grapheneos.org/install/web#verifying-installation. Reinstalling the OS via fastboot mode has the same end result as a factory reset. Either way, the firmware and OS images are fully verified to be genuine by verified boot and data is wiped. Recovery vs. fastboot mode are both very minimal with extremely minimal persistent state used only for a few specific things.

            DVDVDV There are vulnerabilities in every radio fixed on a regular basis. The amount of media coverage and hype for vulnerabilities does not reflect their severity of uniqueness. It largely depends on who finds it and how they promote it. Google Project Zero invested resources into finding vulnerabilities in the modem used by Pixels to help make it more secure. Finding and fixing these vulnerabilities is a good thing, not a bad thing. Google Project Zero not investing the same resources into other radios doesn't mean they're more secure, but does mean they didn't get this major round of bugs getting found and fixed.

            • [deleted]

            GrapheneOS Is booting to recovery to factory reset equivalent to doing it through Settings > System > Reset?

            Blastoidea
            Maybe you will find this interesting, I certainly did!

            https://youtu.be/lhbSD1Jba0Q

            This is really cool, but most surely does not have any relevance to any of the chips in the Pixel, it should be infinently more complex than what you find in an old Set Top Box. But the fact that this is possible, is crazy :D