I have seen a lot of praise for the Google Pixel smartphone. Why? Verifiedboot. You can relock the bootloader, which creates a chain of trust, making it oh so much more secure.
Many privacy enthusiasts now buy Google Pixel phones, and here’s why I do not think that is a good Idea:
1: They are directly funding googles mass surveillance
2: They are funding google, rather than buying actually privacy focused hardware. This is obviously a very strategic move by google to weaken this entire branch of the tech industry. They as a international, multi Billion dollar company can of course provide better quality hardware for a cheaper price.
For a user to be able to turn on the option to unlock the bootloader, they have to either log into a google account, or at least connect to the internet, or the option will be greyed out. Why? It does not make any sense! Connecting to the internet for even a few minutes on a non-FOSS stock android, and being forced to do so in order to liberate the phone seems very sketchy to me.
I would personally rather opt for a Pinephone.
Is it perfect: no
Is it private: yes
Does it have verified-boot: no
Is it secure: yes.
Here’s why I do not think verifiedboot is worth buying from Google for:
For most of us, we will never even have malware enter our system. Malware mitigations do not actually protect us from getting malware, we cannot forget that.
When the malware is already on the phone and tries to deploy, that is when the malware mitigations (secure boot, sandboxing, mac, encryption…) actually come in handy. It is however very much possible to circumvent all of these precautions, as we have seen with the Pegasus malware.
At the end of the day, your Threatmodel plays a big part in your decision making:
Lets go over the most basic ones:
- 1: General, widespread malware, trying to trick people into joining a botnet
- 2: Targeted attacks against a individual
- 3: Targeted attacks against a individual by a Government
This type of malware will probably only exploit already known security vulnerabilities and will heavily rely on the user for the attack to work. Things like picture.png.py, phishing and “Your Computer has a Virus” pop-ups.
What 2 do:
- Virtually all of these attacks can be avoided by staying vigilant, just common sense and knowledge about computers
- If you do run Linux, most malicious programs will not work, since the Linux Desktop userbase just is not that big, and the malware will have to be tailored for Linux, to even work properly.
If you are just careful, verifiedboot will never even have to protect you, since malware does not even reach your device in the first place.
This type of malware will probably appear in the form of spear-phishing and targeted attacks with custom crafted payloads. In some circumstances this might also include doxxing or leaking of sensitive information.
The attackers might be on the lookout for CVE’s to use them against you.
This type of malware will probably never have zero-click capabilities, but might try to exploit holes in your Browser, Operating System or other Programs you use. If they do get a payload onto the system, it might inject its code into a privileged progress.
What 2 do:
- Being careful and aware of what you do will make it very difficult for the attackers.
- Secure means of Communication & filesharing, strong passwords & 2fa, encryption of sensitive data & cold storage backups, as well as basic security practices (not leaving your phone unattended, airtag protection and privacy screen protectors) will be very important measurements to ensure your safety.
- Keeping your software updated and being aware of security vulnerabilities in your programs
- Using a trusted Anti-Virus to ensure the attackers can’t just copy paste code from github
- If you are using Linux, CVEs are usually addressed way faster than with Windows.
- Sandboxing such as FireJail and mac like AppArmor do protect your from a “human error” side of things, and again: Vulnerable software, so it should definitely be utilized.
As long as the attacker does not know you do not have verifiedboot, they will not even try to exploit that fact, since secureboot is mainstream (more on that later)
Disclaimer: It sadly is possible to get into such a position without even doing something Illegal, but I again advise to not take any of this as instructions, but rather a technical analysis and thought experiment regarding digital security. I do not condone any criminal behavior.
As we have seen with Pegasus: All Major governments of this world can break into any mobile device via zero-click exploits.
While now, that awareness is through the roof, their job will only get harder, it will sadly not be impossible. It just means that the price for “Pegasus2: Electric Boogaloo” will be way steeper.
Pegasus did not give a flying rabbits ass about verified-boot, sandboxing or mandatory access control, proving once again that these measures are in no way bullet proof.
The general consensus is that Security through Obscurity is not a good practice. This is pretty much universally agreed on, yet both Apple and Microsoft use exactly that.
What I am advocating for is similar, but should not be confused with it: Security through uniqueness.
Lets take BSD for example. It is Open Source, but has a very small market share. What are the odds that any government of this world is pouring millions of dollars into finding zero days for it? Exactly.
Will they find zero days in it if they look for them? Yes. Of course they will, but this is a matter of how fast they will.
When the government is on the hunt for you; you are pretty much done for by default. The only thing you can do is not give them any attack surface.
If a government links any online activity back to you, they will probably just get out the big red button and target your device with a zero-click zero-day. Its up for speculation what will happen after their initial attack fails, but it will undoubtedly buy you valuable time.
What 2 do:
- Being absolutely paranoid and incredibly aware of security risks and practices (Compartmentalization and running different programs in different VMs)
- Using privacy focused Hard, Firm and Soft -ware
- Pulling every single trick out of the Hat, and hardening your setup as good as humanly possible
- Laying low and not drawing any attention. They cannot hack you if they do not know where you are.*
- Maybe even getting rid of all electronics for a while is a good idea.
*The zero-click vulnerabilities we have seen were in whatsapp and sms I believe (please do correct me when im wrong). If they do not have any way of sending payloads to your device, that removes a big attack vector.
I am very aware that other attack vectors exist, do not worry, but a lot of them need you to do something for them. Only a handful can just infect a computer without user interference, with (imo) messaging being the biggest.
All security measures are very nice to have, but especially verifiedboot is just overhyped.
Edit, since there was a bit of confusion: Both Graphene and Calyx focus all of their resources on the Google Pixel series. Two entire roms chose to focus all their power of one line of smartphones from one company, just because of the relocking of the bootloader.
I do understand the entire “Chain of Trust” part behind it, but its neither bullet proof, nor is embedding malware into the os itself such a huge risk for the average person.
I am very aware that in any mainstream operating system, all malware mitigation techniques should be dialed to 11, but In my opinion: It is worth to miss out on VerifiedBoot if you are not wanted by any major intelligence agency, or going to buy non-android.
Some people think that Linux is “unsecure” because it “does not meat “standart” security measures”. This is absolute bs to a very big extent.
If Linux is unsecure: Open a terminal and hack googles or amazons servers. Go on!
The only thing a lack of secure boot does, is shape the malware development field of said os.
Is that particularly good? No
Is that a imminent security threat? No
Could it be used in combination with other zero days to compromise a system? Yes.
Can any systems os be compromised, regardless or secure boot or not? Yes.
Is it better to have verifiedboot than not? Yes
If you desperatly want secure boot in Linux, just follow the wiki: Unified Extensible Firmware Interface/Secure Boot - ArchWiki