Skip Navigation

GrapheneOS Organization Reports On The Good Response To The Vulnerabilities They Discovered Related To Device Wiping Via Admin API

grapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)

We've planned to support adding a PIN as a 2nd factor for fingerprint unlock since 2016. A new contributor has recently made a lot of progress on it. We'll get it done after duress PIN/password. It will allow using passphrase primary unlock with fingerprint+PIN secondary unlock.

Google is publicly working on a fix for the factory reset vulnerability we reported:

https://android-review.googlesource.com/c/platform/frameworks/base/+/3008138

Currently, apps using device admin API to wipe do not provide any security against a local attacker since you can interrupt them. Forensic companies are aware of this.

We weren't sure if they would even consider this to be a valid vulnerability but it was accepted as a High severity issue with a $5000 bounty. We also reported what we consider a far more serious firmware vulnerability which received a $3000 bounty due to not having full info.

They're going to be shipping the mitigation we proposed for preventing obtaining data via exploiting vulnerabilities in firmware boot modes in the April security update. We also proposed software improvements which may ship soon. We aren't sure when factory reset will be fixed.

GrapheneOS provides substantial defenses against obtaining data from devices in the After First Unlock state. We recently made major improvements in this area including our new USB-C port control feature able to disable data lines at a hardware level, unlike the standard feature.

Our USB-C port control is set to "Charging-only when locked, except before first unlock" by default. New USB connections can only be made while unlocked, except BFU. After locking, new connections are blocked immediately and data lines are disabled when existing connections end.

We encourage users to use "Changing-only when locked" if they don't need USB devices when the device boots or "Charging-only" if they don't use USB beyond charging. There's also an "Off" value disabling charging when OS is booted into the main OS boot mode for high threat models.

Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer elapses. This is set to 18 hours by default but can be set between 10 minutes and 72 hours. It won't chain reboot the device anymore.

Our main defenses against this are our standard exploit protection features:

https://grapheneos.org/features#exploit-protection

Wiping freed memory in kernel/userspace also helps beyond exploit mitigation. We also added full compacting GC for core processes when locking and we're working on much more.

We've planned to support adding a PIN as a 2nd factor for fingerprint unlock since 2016. A new contributor has recently made a lot of progress on it. We'll get it done after duress PIN/password. It will allow using passphrase primary unlock with fingerprint+PIN secondary unlock.

1

You're viewing a single thread.

1 comments
  • Grapheme OS bridges its 'public' chat with discord and other known corporate spyware platforms

    https://spyware.neocities.org/articles/discord

    • No way, next you are going to tell me that they even have a public website and their information gets shared on reddit and lemmy. Oh god, even their product is open source! Panic, people, panic!

      • Discord isn't a public website

        • That's true. But you are taking offence in them bridging their public chats to non-public services due to them being spyware.

          I don't disagree that they are essentially spyware, but it doesn't matter when the information shared is already publicly accessible anyway. It only adds convenience for users who, for whatever reason, prefer to use Discord over Matrix.

          So your initial comment is essentially saying: "Unrelated to the topic, GrapheneOS shares their data with shady data brokers!". You're not technically wrong, but the implications are meaningless.