Questions about firmware and security

agl218

Hello everyone,

I am new here at this forum and I want to start into the world of GrapheneOS.
I got a Pixel 6 and before I try to flash GrapheneOS, I would like to ask you some questions.
As I have read in the documentation and in the installation manual, it seems like there will be verification procedure within every boot of the device to check for manipulated software. As I am not that into IT, I wonder if it is possible to infect the phone during the flashing process without noticing it? My computer has a relatively fresh installed OS (Ubuntu) on it, but could it be possible there are malicious firmware or drivers on some chipsets, which affect the phone during flash?

The second question is, if all the firmware, drivers and so on of all chipsets on the phone are cleared during the flash, in case the phone is infected somehow due to the previous use?

And third, can sim-cards transfer some kind of harmful software? The sim I am using was used in a pretty outdated phone before, that's why I want to switch to a pixel with GrapheneOS.

I am sorry that I am so worried about these things, but I really want a phone I can trust and GrapheneOS seems like a great project.
Thank you and have a nice day!

yore

agl218 After installing GrapheneOS, you can use the Auditor app to verify if the OS has been tampered with. It uses hardware-based attestation so even if your phone ends up being infected, the verification cannot be spoofed by malware.

GrapheneOS ships with the Auditor app pre-installed but you will need to install it on another Android phone to perform the verification.

See:
https://grapheneos.org/features#auditor
https://attestation.app/tutorial

burn3r

This will help

https://grapheneos.org/install/cli#verifying-installation

agl218

Hey burn3r and yore,
thank you for your quick response.

As far as I understand, the verification procedures during boot will detect a compromised OS, firmware, drivers and so on? So if I install GrapheneOS it will be checked and afterwards I can rely on it no matter what state my PC is in?

Just in case the phone in its current state is infected somehow, can this cause harm to my computer during the process? The phone is already reset to factory settings.

And the last question is, if there is some kind of danger when transferring the sim-card to the new phone?

In the manual I also found the Auditor-App check, this seems like a good way to check it. Thank you.

I am very grateful for your patience and I wish you a nice day.

[deleted]

agl218 if there is some kind of danger when transferring the sim-card to the new phone?

Not really. The only "danger" I can see is that the device (your smartphone) identifies the subscriber (you) by transmitting the International mobile subscriber identity (IMSI) number which is stored on your SIM card.

agl218

[deleted]
thank you for your reply,
my question was towards the potential risk of viruses, malware etc because of the old previous phone.

Greetings

[deleted]

agl218 my question was towards the potential risk of viruses, malware etc because of the old previous phone.

I'm aware.

agl218

So if I sum up:

There are multiple ways to confirm a clean install of GrapheneOS after flashing, like shown in the manual (chapter verification) and the app via another phone can also be used.

And now after I have reset the phone to factory settings (used phone), there should not be a risk for my computer when I connect it?

I am really sorry for all these questions, I am willing to learn but these security-topics are scary.
Thank you!

de0u

agl218 And now after I have reset the phone to factory settings (used phone), there should not be a risk for my computer when I connect it?

It's pretty unlikely, but not theoretically impossible. For example, a state-level actor could very plausibly add enough hardware to attack a connected PC, or maybe a really good criminal gang.

It might make more sense to ask how likely, or how expensive, a threat would be, rather than whether it is possible.

agl218

de0u

Thank you for your answer.

I bought this phone from a professional reseller, which has a pretty good reputation and in the past me and some people around me had good experiences with them.
So although it is possible, it seems like this is very unlikely if I get you right? Maybe this would also be more of a scenario for a specific attack i think?
So whatever, I bought this phone to use it and now it is too late to return it, so I think I have to try it?

Thank you all!

yore

agl218 No need to overthink it. Upon boot, the check is done to see if the OS has changed from its previous state. However, it does not verify if it is a genuine GrapheneOS image.

The best method to verify is by pausing boot at the yellow warning and comparing the hash to the image hash for the corresponding phone on the GrapheneOS website. Then lock the bootloader after install and verify with Auditor. This is all.

de0u

agl218 So although it is possible, it seems like this is very unlikely if I get you right?

Personally I think it is very unlikely. And much less likely with a Pixel than with quite a few other phones.

agl218

(I may reinstall the OS on the PC afterwards, my plan was to do it anyway and I hope that potential harmful influences only get on the OS and not the firmware or chipsets or whatever, I don't know that much about these things)

agl218

yore

Thank you very much!

agl218

de0u
Thank you!

agl218

de0u
I am sorry, one last question:
In the very unlikely event of an infected phone: Would it be enough to reinstall the OS on the PC afterwards?

Greetings

yore

agl218 Unlikely but yes, that is sufficient.

de0u

agl218 In the very unlikely event of an infected phone: Would it be enough to reinstall the OS on the PC afterwards?

Same answer, I'm afraid: the threat is possible but unlikely. Look for "persistent BIOS rootkit". Average PCs are arguably more vulnerable than Pixels! But the likelihood is still low.