Summary
- Security researchers from GrapheneOS have discovered a firmware vulnerability in Android, exploited by forensic companies with physical device access.
- GrapheneOS offers an automatic reboot option to mitigate attacks and suggests improvements to the reboot process on Android.
- Rebooting phones after a period of inactivity reduces the window of opportunity for attacks.
Security researchers from the privacy and security-focused custom ROM GrapheneOS have found a firmware vulnerability in Android. To reduce the window of opportunity for this and other, yet-to-be-discovered vulnerabilities, GrapheneOS already offers an automatic reboot option, but suggests improvements to the reboot process itself on Android to further mitigate attacks on other devices.
While GrapheneOS hasn’t made details about the discovered exploit public yet, the security researchers say that it is already being exploited by forensic companies with physical access to devices today (via Bleeping Computer). Both Pixel and Galaxy phones are vulnerable. The attack can only be carried out on devices that are not at rest, meaning those that have been unlocked at least once after they were booted. Devices that were rebooted and haven’t been unlocked yet are safe from this attack.
GrapheneOS automatically reboots phones if they haven’t been used for 18 hours by default, reducing the window of opportunity to break in and obtain data using the firmware exploit or other attacks that rely on devices in their not-at-rest state. Users can set the window to another value if they prefer, going as low as 10 minutes.
Before it uncovered the exploit, GrapheneOS only auto-rebooted after 72 hours of inactivity, but it has since tweaked the default setting to be lower. To prevent any problems from cropping up with the shorter window, devices will now also only start the reboot timer again once the device has first been unlocked after rebooting.
While a phone is at rest, only a handful of services are allowed to run in the background. You can still receive phone calls, SMS messages, and alarms from your default clock app, but you won’t get notifications from most third-party apps.
To make attacks like this harder, it would likely make sense for Google and other manufacturers to introduce similar auto-reboot features. Some manufacturers, among them Samsung and OnePlus, already offer optional reboots at set times, but an auto-reboot timer like GrapheneOS offers isn’t widespread.
Google Pixel phones don’t support any sort of auto-reboot option in their stock firmware, which is a questionable omission based on these findings. Regularly rebooting your phone is a good idea in the first place to ensure that it keeps running smoothly, but doing it manually won’t help if you lose your phone while it’s in its not-at-rest state.
GrapheneOS also says it proposed new security measures to Google to further prevent attacks like this, such as fully emptying memory on boots (zero memory).
GrapheneOS admits that it has mostly focused on protection from remote attacks and privacy-focused tweaks to Android, but the vulnerability it found made clear that physical protection is equally important. The company plans to introduce more features that make physical exploits like this harder, such as blocking new USB peripherals while the device is locked.
Source link
