GrapheneOS

GrapheneOS, 8 days ago

@phil_stevens

Our feature does not pretend that a wipe didn't happen, which would be easily detected and you'd be caught making obvious lies.

On a surface level, it looks like the hardware failed and data was corrupted but it's going to be known that it was wiped via duress PIN/password if they aren't an idiot. It can analyzed to determine it clearly wasn't a hardware failure.

> reimaged the disk with a dummy OS, full of bland and unremarkable files

How would this avoid them detecting it?

GrapheneOS, 8 days ago

@phil_stevens

Even on a surface level, it's going to be quite clear that's what happened. On a lower level, via forensic analysis, it's going to be provable to a high degree of confidence that data was wiped. We didn't try to implement some kind of partial wipe with an attempt to hide it because there isn't really a way to do that without it being easily detected.

We'd also rather not create a suspicion that our users did something they didn't actually do.

The feature has a narrow use case.

GrapheneOS, 8 days ago

@phil_stevens

It would be entirely possible to make another variant of this feature which only wipes certain user profiles. It will be possible to detect that certain user profiles were wiped through forensic analysis. There will be lots of evidence showing it happened. We cannot provide a feature where we tell people it can do something that cannot really be done. There's nearly no form of this we could make that would be undetectable.

Standard forensics tools are normally what's being used.

GrapheneOS, 8 days ago

@phil_stevens

A standard, baseline feature of forensics tools from Cellebrite, XRY, Graykey, etc. is performing a full filesystem extraction when they have been given the correct lock method. If it's possible to detect traces of what's deleted in that, then it would be highly dangerous and misleading to claim that it's stealthy.

We could implement partial data wiping duress PIN/password support but it must truly make the data unrecoverable, which is questionable without reboot/shutdown.

GrapheneOS, 8 days ago

@phil_stevens If the sensitive data is all neatly inside of a virtual machine with the data storage encrypted with a hardware keystore key, then it's possible to get rid of all of it reliably but it's not really deniable. It's hard to really make anything deniable. There are traces something happened not just on the device but outside it, like your contacts receiving messages you sent, so clearly you sent them somehow, with a device you had access to, so what happened to that data?

GrapheneOS, 8 days ago

@phil_stevens User profiles are not super neatly contained and cleanly removed. They each have their own credential encrypted storage keys for their file names and data blocks which can be reliably wiped and purged from memory... but for higher assurance you really want to shutdown/reboot. There are all kinds of traces of them left despite reliably deleting file names and data blocks for data inside the profile, since there is OS data about the profile, apps, etc. outside of them.

GrapheneOS, 8 days ago

@phil_stevens We often get asked to add support for stealthily wiping user profiles. Our concern is that standard forensics tools can easily spot that this happened. Users often say they don't care about that and just want to fool a non-expert without tools... but they're underestimating how easy it is to detect and how widespread those tools are. If we added this kind of thing, we would make it absolutely clear that it's NOT stealthy and it can be easily detected that it happened.

GrapheneOS, 10 days ago

We've also finally added documentation on our USB-C port control to our features page:

https://grapheneos.org/features#usb-c-port-control

Most users can set this to "Charging-only when locked" without a loss of functionality or even "Charging-only" if you don't use USB accessories, DisplayPort or MTP.

GrapheneOS, 10 days ago

Our upcoming 2-factor fingerprint unlock will make using a strong passphrase as primary unlock method practical via fingerprint+PIN secondary unlock instead of fingerprint-only. Great for people who want to avoid relying on secure element throttling but don't want fp-only unlock.

GrapheneOS, 8 days ago

@Joseph_of_Earth @jerry Spreading content like this based on targeting someone with fabricated stories and trying to portray them as insane is genuinely harassment. It's what Kiwi Farms does to people. Jonah is one of the core members of the Techlore project, and he was deeply involved in years of harassment. Stating that is absolutely true, not a way of deflecting criticism from someone who is clearly spreading fabrications about our project for years, which you're spreading on their behalf.

GrapheneOS, 8 days ago

@Joseph_of_Earth @jerry We haven't engaged in harassment towards anyone. It's a complete lie. Defending ourselves from ongoing fabricated stories and extreme harassment including swatting attacks targeting the lead developer at the time is not itself harassment. Spreading fabricated stories about someone, trying to portray them as crazy to encourage people to harass them and spreading Kiwi Farms style harassment content is certainly harassment though.

GrapheneOS, 9 days ago

Search "DFIR" via Discord discover, preview server without joining and search for GrapheneOS if you want to quickly debunk that fabrication.

https://grapheneos.social/@GrapheneOS/112553695966336807 is the thread we're supposedly marketing GrapheneOS as making people "untouchable" (no) by "law enforcement" (no).

GrapheneOS, 8 days ago

@Laird_Dave @KellyandRoger

Fairphone's devices lack proper Android security patches or the standard security features. Using an alternate OS on it doesn't resolve the major security flaws. GrapheneOS has hardware security requirements because it's a hardened OS existing to provide a high level of privacy and security not achievable without having secure hardware and firmware to build on. Please see https://grapheneos.org/faq#future-devices. Fairphone devices provide less than typical devices like Galaxy.

GrapheneOS, 8 days ago

@Laird_Dave @KellyandRoger

For the update situation:

https://support.fairphone.com/hc/en-us/articles/18682800465169-Fairphone-5-OS-Release-Notes
https://support.fairphone.com/hc/en-us/articles/4405858220945-Fairphone-4-OS-Release-Notes

Android Security Bulletins are a list of the subset of High and Critical severity patches backported to older Android releases and required to achieve a given Android security patch level. Those older releases are currently Android 12, 13 and 14.

Fairphone and other OEMs receive early access of around 30 days. Despite this, they're being shipping 1-2 months late. This is also only a subset.

GrapheneOS, 8 days ago

@Laird_Dave @KellyandRoger

he firmware, drivers and other device code come from Fairphone, not AOSP. Half of these patches are for that code. Some of the AOSP patches also need to be applied for that code. This matters to another OS.

Monthly, quarterly and yearly Android releases provide full security patches including the Moderate/Low severity patches and High/Critical patches backported later. That's currently the May release of Android 14 QPR2 but should be Android 14 QPR3 later today.

GrapheneOS, 8 days ago

@Laird_Dave @KellyandRoger

As a real world example of why the hardware requirements matter:

https://grapheneos.social/@GrapheneOS/112462758257739953

Only Pixel 6 and later or iPhone 12 or later has a good enough secure enough to prevent Cellebrite doing brute force attacks. Pixel 2 or later has a secure element doing brute force protection.

Fairphone doesn't have this feature. A typical lock method such as random 6 digit PIN on a Fairphone doesn't provide working encryption even without advanced secure element exploits.

GrapheneOS, 8 days ago

@Laird_Dave @KellyandRoger The batteries in Pixels can be replaced. Repair shops can do this quite safely.

https://www.ifixit.com/Guide/Google+Pixel+8+Battery+Replacement/166180

Pixel 8 has an actual 7 years of support from launch where it receives the updates in the month they're released.

It's much different than Fairphone's approach of shipping an update in 2024 which released in 2022 and then presenting that as providing 2 more years of support than a phone which shipped it in 2022. That doesn't sit right with us at all.

GrapheneOS, 8 days ago

@Laird_Dave @KellyandRoger They weren't nearly as popular then as they are now, and there weren't official iFixit parts or comparable quality guides. It's not worth doing for an end-of-life phone though, since they only had 3 years of official support.

https://www.ifixit.com/products/google-pixel-5-battery-genuine

GrapheneOS, 8 days ago

@boldsuck @Laird_Dave @KellyandRoger Qualcomm will probably provide a bit more than the minimum support, but FP4 is almost certainly not going to get security support as long as they've made it seem. Getting the subset of patches backported to older releases 1-2 months late without the monthly/quarterly/yearly updates with full patches is not very good security support though. Security also involves a lot more than just shipping patches for vulnerabilities:

https://grapheneos.org/faq#future-devices