I would like to buy a used Pixel and install on it a custom ROM.
What are the risks? Is it reasonably secure? What is the worst thing that could happen?
You can find a malicious firmware, removed security components or such.
If you install a custom ROM, shouldn’t this override the changes? Installing a new OS should put everything back as it should be, right?
Not at the firmware/hardware level. So if one or both are compromised, installing a custom ROM won’t make the device secure I guess.
I don’t know how likely it is to find and buy such a device, and I don’t know if there are ways to verify the integrity of it.
I imagine there would be a warning on boot (assuming secure boot is on)
You need not to worry about these attack vectors (firmware compromises) unless you are Snowden.
Thank you for your reply!
Is it an unlikely attack because it requires sophisticated work to hack the firmware/hardware, so it’s not worth it for an attacker?
Let’s assume I could easily hack the phone at that level, then I could sell it to someone and try to steal as much information as possible.
I know I’m probably oversimplifying, I just want to know why it is not a realistic scenario.
Can be done. Requires a lot of hard work in hiding the tracks and not breaking Verified Boot. Not for your threat model though. Analyze with wireshark for a week if you are skeptical.