The Google Pixel and its Verified-Boot are Overhyped

I have seen a lot of praise for the Google Pixel smartphone. Why? Verifiedboot. You can relock the bootloader, which creates a chain of trust, making it oh so much more secure.
Many privacy enthusiasts now buy Google Pixel phones, and here’s why I do not think that is a good Idea:

1: They are directly funding googles mass surveillance
2: They are funding google, rather than buying actually privacy focused hardware. This is obviously a very strategic move by google to weaken this entire branch of the tech industry. They as a international, multi Billion dollar company can of course provide better quality hardware for a cheaper price.

For a user to be able to turn on the option to unlock the bootloader, they have to either log into a google account, or at least connect to the internet, or the option will be greyed out. Why? It does not make any sense! Connecting to the internet for even a few minutes on a non-FOSS stock android, and being forced to do so in order to liberate the phone seems very sketchy to me.

I would personally rather opt for a Pinephone.
Is it perfect: no
Is it private: yes
Does it have verified-boot: no
Is it secure: yes.


Here’s why I do not think verifiedboot is worth buying from Google for:

For most of us, we will never even have malware enter our system. Malware mitigations do not actually protect us from getting malware, we cannot forget that.
When the malware is already on the phone and tries to deploy, that is when the malware mitigations (secure boot, sandboxing, mac, encryption…) actually come in handy. It is however very much possible to circumvent all of these precautions, as we have seen with the Pegasus malware.

At the end of the day, your Threatmodel plays a big part in your decision making:

Lets go over the most basic ones:

  • 1: General, widespread malware, trying to trick people into joining a botnet
  • 2: Targeted attacks against a individual
  • 3: Targeted attacks against a individual by a Government

Type 1: Widespread malware

This type of malware will probably only exploit already known security vulnerabilities and will heavily rely on the user for the attack to work. Things like picture.png.py, phishing and “Your Computer has a Virus” pop-ups.

What 2 do:

  • Virtually all of these attacks can be avoided by staying vigilant, just common sense and knowledge about computers
  • If you do run Linux, most malicious programs will not work, since the Linux Desktop userbase just is not that big, and the malware will have to be tailored for Linux, to even work properly.

If you are just careful, verifiedboot will never even have to protect you, since malware does not even reach your device in the first place.

Type 2: Targeted (non Government)

This type of malware will probably appear in the form of spear-phishing and targeted attacks with custom crafted payloads. In some circumstances this might also include doxxing or leaking of sensitive information.
The attackers might be on the lookout for CVE’s to use them against you.
This type of malware will probably never have zero-click capabilities, but might try to exploit holes in your Browser, Operating System or other Programs you use. If they do get a payload onto the system, it might inject its code into a privileged progress.

What 2 do:

  • Being careful and aware of what you do will make it very difficult for the attackers.
  • Secure means of Communication & filesharing, strong passwords & 2fa, encryption of sensitive data & cold storage backups, as well as basic security practices (not leaving your phone unattended, airtag protection and privacy screen protectors) will be very important measurements to ensure your safety.
  • Keeping your software updated and being aware of security vulnerabilities in your programs
  • Using a trusted Anti-Virus to ensure the attackers can’t just copy paste code from github
  • If you are using Linux, CVEs are usually addressed way faster than with Windows.
  • Sandboxing such as FireJail and mac like AppArmor do protect your from a “human error” side of things, and again: Vulnerable software, so it should definitely be utilized.

As long as the attacker does not know you do not have verifiedboot, they will not even try to exploit that fact, since secureboot is mainstream (more on that later)

Type 3: The Alphabet bois be knocking

Disclaimer: It sadly is possible to get into such a position without even doing something Illegal, but I again advise to not take any of this as instructions, but rather a technical analysis and thought experiment regarding digital security. I do not condone any criminal behavior.

As we have seen with Pegasus: All Major governments of this world can break into any mobile device via zero-click exploits.
While now, that awareness is through the roof, their job will only get harder, it will sadly not be impossible. It just means that the price for “Pegasus2: Electric Boogaloo” will be way steeper.
Pegasus did not give a flying rabbits ass about verified-boot, sandboxing or mandatory access control, proving once again that these measures are in no way bullet proof.

The general consensus is that Security through Obscurity is not a good practice. This is pretty much universally agreed on, yet both Apple and Microsoft use exactly that.
What I am advocating for is similar, but should not be confused with it: Security through uniqueness.

Lets take BSD for example. It is Open Source, but has a very small market share. What are the odds that any government of this world is pouring millions of dollars into finding zero days for it? Exactly.
Will they find zero days in it if they look for them? Yes. Of course they will, but this is a matter of how fast they will.

When the government is on the hunt for you; you are pretty much done for by default. The only thing you can do is not give them any attack surface.
If a government links any online activity back to you, they will probably just get out the big red button and target your device with a zero-click zero-day. Its up for speculation what will happen after their initial attack fails, but it will undoubtedly buy you valuable time.

What 2 do:

  • Being absolutely paranoid and incredibly aware of security risks and practices (Compartmentalization and running different programs in different VMs)
  • Using privacy focused Hard, Firm and Soft -ware
  • Pulling every single trick out of the Hat, and hardening your setup as good as humanly possible
  • Laying low and not drawing any attention. They cannot hack you if they do not know where you are.*
  • Maybe even getting rid of all electronics for a while is a good idea.

*The zero-click vulnerabilities we have seen were in whatsapp and sms I believe (please do correct me when im wrong). If they do not have any way of sending payloads to your device, that removes a big attack vector.
I am very aware that other attack vectors exist, do not worry, but a lot of them need you to do something for them. Only a handful can just infect a computer without user interference, with (imo) messaging being the biggest.

Conclusion:

All security measures are very nice to have, but especially verifiedboot is just overhyped.
Edit, since there was a bit of confusion: Both Graphene and Calyx focus all of their resources on the Google Pixel series. Two entire roms chose to focus all their power of one line of smartphones from one company, just because of the relocking of the bootloader.

I do understand the entire “Chain of Trust” part behind it, but its neither bullet proof, nor is embedding malware into the os itself such a huge risk for the average person.

I am very aware that in any mainstream operating system, all malware mitigation techniques should be dialed to 11, but In my opinion: It is worth to miss out on VerifiedBoot if you are not wanted by any major intelligence agency, or going to buy non-android.


Some people think that Linux is “unsecure” because it “does not meat “standart” security measures”. This is absolute bs to a very big extent.
If Linux is unsecure: Open a terminal and hack googles or amazons servers. Go on!
The only thing a lack of secure boot does, is shape the malware development field of said os.
Is that particularly good? No
Is that a imminent security threat? No
Could it be used in combination with other zero days to compromise a system? Yes.
Can any systems os be compromised, regardless or secure boot or not? Yes.
Is it better to have verifiedboot than not? Yes

If you desperatly want secure boot in Linux, just follow the wiki: Unified Extensible Firmware Interface/Secure Boot - ArchWiki

2 Likes

Mate the Google Pixels have Verified boot not Secureboot. What verified boot does is check for every single firmware and check if it has been tampered with. Of course thats a vast oversimplification but you gotta understand the difference between them and see why it’s so important.

1: They are directly funding googles mass surveillance
2: They are funding google, rather than buying actually privacy focused hardware. This is obviously a very strategic move by google to weaken this entire branch of the tech industry. They as a international, multi Billion dollar company can of course provide better quality hardware for a cheaper price.

FUD stuff. If you are skeptical just run wireshark after installing graphene mate. Wouldn’t even make sense for Google to do that.

The fuck?

Mate it’s made secure by bois and gurls with years of cybersecurity degree.

Stop spreading FUD. Pinephone is not a good phone for most individuals and they are not open hardware as they seem to imply.

2 Likes

While I am a fan of pointing out that a person’s threat model is very important and that extreme security practices outweighing convenience and privacy factors is not usually the best answer for most people, I do think this post overcorrects very far in the opposite direction and oversimplifies or dismisses some security features which are genuinely important to the average user.

I think the biggest thing here is that Verified Boot is a lot more important on mobile devices than it is on computers, because the application security model of Android and iOS are fundamentally very different. There are a lot of different ways for malware to infect your computer, and Secure Boot only protects against a small subset of that malware, so many people are willing to give up that relatively small protection to run alternative Linux systems on their PCs. However, applications on Android and iOS are much more heavily sandboxed and restricted, so any potential malware that can’t break out of that sandbox is essentially useless. Therefore, many (if not most) of the threats people will be concerned about on their mobile devices will be malware that infects their core system, which Verified Boot of course protects against.

Nobody is making the claim that Linux is not secure, unless they fundamentally do not understand how computers work and/or are just misquoting someone else. People do claim that Desktop Linux is not secure, which is a potentially arguable claim. Securing a computer which serves only pre-made data stored on it to visitors is a completely different problem to solve than securing a computer which has a regular user with full root access accessing arbitrary websites and installing arbitrary applications on a daily basis.

Desktop Linux is fundamentally less secure than other operating systems in many different ways. That being said, whether those security deficits are actually going to matter to you depends on a lot of factors, and Linux does have a lot of stuff going for it, so I would not just blanket recommend against Linux at all. It’s just something to be aware of. However, this is why you cannot use the argument that “but Linux servers are secure!” to say that Desktop Linux is secure, these are mostly unrelated problems.

2 Likes

If a system is not secure the system is not private.

No.

Last I checked, it took a state sponsored company to find the no-click RCE. A script kiddie can hack a Linux Distro.

You speak of Threatmodel after you speak about the Pegasus issue. How ironic!

I can plug a USB onto your device and hack you mate.

facepalm

Mate just read this article by Google.

2 Likes

Google will not take illegal action just in the name of data collection.

Go on then and explain to me, how you would hack me.

Most people on this earth will never be a target for the pegasus malware in the first place. If it ever were the case we were in big trouble, because that would mean a powerful government is trying to either end the world, or the internet

Ok, then just come over. I invite you. I dont want to sound like a ironic pos, but mate, you can’t.

nice. they patched security flaws. Its not like I literally said they would in my post:

Umm…

Fair enough

I am a big fan all of Linux’s security measures, and think all of them are important to have on a desktop “just in case”. If It sounded like I despised all security measures, I apologize. I did however point out in my conclusion, that its worth to miss out on, well Verified, which has been pointed out to be, -boot, when buying actual privacy focused hardware.

Edit: I also just want to remind everyone, that this is from a perspective of a privacy minded person on the look for a mobile solution:
Do they buy a google Pixel and flash graphene
Do they buy a One+ and flash Lineage
Do they buy a Pinephone

The privacy difference is pretty much non existant (I know about kde telemetry, and that you can turn it off), so lets just say none.
The only difference is in Security. I wanted to demonstrate how this does not impact the security by making the phone instantly hackable.
The threat model of our imaginary person is imo the key factor in the decision they should go.
If they are neither a public figure, nor wanted by a intelligence agency, they will (probably) never get into a situation where secureboot “could have saved them”, especially since its not bullet proof, and can be defeated, if the enemy has enough resources. Like a intelligence agency would.

Yes, and there is a very good reason for their security model being a lot different: There are, in a scope of the entire world, way more people connecting to the Internet with their phones, than there are with any other technology. In this source I found, they claim 83.40% of all people have a smartphone, which does sound realistic.

As I said in my conclusion:

So I agree that these mobile operating systems should have the best protection possible.

In this forum: Yes, but that is definitly not the case everywhere.

Fair enough. I was kind of meeting generalization with generalization there. You never hear anyone say “Linux Desktop is unsecure”. Many Linux haters just cling to the most minute details they can get.

1 Like

More Shitting on Linux

2 Likes

Ah yes, using WireShark to inspect HTTPS traffic to learn they are communicating WITH GOOGLE? wow! Such shocking revelations!
Now seriously: As long as I will not directly probe the cpu, we will never know what information is exchanged.

Oversimplified, I give you that.

I did not specify further, since I thought that was already common knowlege:
The pinephone is under constant development, and is always improved. Since it ships with Manjaro Plasma Mobile, it is ready out of the box. You generally don’t need technical knowledge to use it, since Plasma is very intuitive.
If it breaks, but you know your way around Linux, it should not be too much of a problem, and you can just open a support ticket so they can fix whatever caused this breakage.
I am fully convinced that the Pine phone could become a viable phone option, even for not tech interested people, especially through Fedora-Silverblue, or other locked down environments.
What wins me over now, is the presence of a headphone jack, bootable expandable sd-card and replaceable battery.

I am very well aware of the technical side of things, rubber duckys and o.mg cables. I said YOU cannot hack my devices, since you do not know where my devices are. Simple as that.

You can analyze if it’s communicating at all with google.

nice, not a single one of these security flaws impacts me

You know you are going to get some unbiased, strictly factual claims that are backed by heavy research when your opponent links a tweet with no sources and 16 likes

putting the entire FOSS dev community and the Linux kernel in one pot. Nice. Can’t see how that could go wrong.

the pinephone og is a very usable device and is very open but most cant use it because its slow (zooomers want zoom) the pro is getting to be fully usable but still it need some time. Also battery is good if you don’t consooome content(also bad for privacy)

1 Like

Nice to get a first hand view. Thank you!

1 Like

yea, atm im dallying the pro mostly the biggest problems i have are with plasma kek. sxmo(dwm) is amazing but i have not had time to set up in sync with creating a Slackware distro for the pro.

1 Like

https://madaidans-insecurities.github.io/linux-phones.html

1 Like

I’m seeing this far too late (thanks Sting Ray for clarifying why people use Pixels / why this post sadly spreads some amount of misinformation)

1 Like

I don’t think @MultiCorn here understands Computer Security.

1 Like