Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
password to access recovery #280
Comments
thestinger
added
the
Type: enhancement
label
May 28, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
ghost
Jun 14, 2016
The stock AOSP ROM doesn't do anything besides installing updates and factory resets AFAIk.
Adding a password to the recovery might lock the user out of his phone entirely if he forgets his password.
Only when the phone is unlocked things get dangerous, since you can flash 3rd party recoveries that DO allow you to mess with the system.
ghost
commented
Jun 14, 2016
|
The stock AOSP ROM doesn't do anything besides installing updates and factory resets AFAIk. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 14, 2016
Contributor
CopperheadOS removes the ability to perform factory resets from there in order to prevent bypassing the OEM unlocking toggle within the OS.
So this comes down to whether it's a risk to expose the attack surface of sideloading updates. It's not possible to sideload an update with an incorrect signature, but there's code exposed to exploitation. Either way, it's not a huge risk since it requires physical access and couldn't be used to bypass encryption, only performing an on-device brute force attack.
|
CopperheadOS removes the ability to perform factory resets from there in order to prevent bypassing the OEM unlocking toggle within the OS. So this comes down to whether it's a risk to expose the attack surface of sideloading updates. It's not possible to sideload an update with an incorrect signature, but there's code exposed to exploitation. Either way, it's not a huge risk since it requires physical access and couldn't be used to bypass encryption, only performing an on-device brute force attack. |
thestinger
added
the
Priority: low
label
Jun 14, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 14, 2016
Contributor
I considered closing this but I don't think totally without merit. I wouldn't want there to be a password when simply rebooting to recovery from the OS though... the hardware might provide a reboot reason, but it could potentially be bypassed if it relied on that. Anyway, on the fence about whether this should just be closed.
|
I considered closing this but I don't think totally without merit. I wouldn't want there to be a password when simply rebooting to recovery from the OS though... the hardware might provide a reboot reason, but it could potentially be bypassed if it relied on that. Anyway, on the fence about whether this should just be closed. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
ghost
Jun 14, 2016
CopperheadOS removes the ability to perform factory resets from there in order to prevent bypassing the OEM unlocking toggle within the OS.
So if I understand correctly, there's no way to reset the phone without access to the OS?
ghost
commented
Jun 14, 2016
So if I understand correctly, there's no way to reset the phone without access to the OS? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 14, 2016
Contributor
If OEM unlocking is disabled from within the OS, yes. Otherwise the bootloader can be unlocked, and unlocking wipes the data. The OEM unlocking toggle would be useless without removing the wipe option from recovery since you could just wipe, boot the OS and enable OEM unlocking.
We still have the power to wipe it via a properly signed sideloaded package but that isn't exposed in the recovery. A user building and signing their own OS would have that power instead.
|
If OEM unlocking is disabled from within the OS, yes. Otherwise the bootloader can be unlocked, and unlocking wipes the data. The OEM unlocking toggle would be useless without removing the wipe option from recovery since you could just wipe, boot the OS and enable OEM unlocking. We still have the power to wipe it via a properly signed sideloaded package but that isn't exposed in the recovery. A user building and signing their own OS would have that power instead. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 14, 2016
Contributor
OEM unlocking toggle is an anti-theft feature and therefore not having the encryption password will turn the device into a brick without a properly signed package to sideload for wiping it. In theory, something like data corruption could trigger the same thing, but there's always the possibility of recovery failing to boot regardless. Android's safe mode is a nice airbag for this. If you don't like trade-off you can lock the bootloader but leave OEM unlocking enabled.
|
OEM unlocking toggle is an anti-theft feature and therefore not having the encryption password will turn the device into a brick without a properly signed package to sideload for wiping it. In theory, something like data corruption could trigger the same thing, but there's always the possibility of recovery failing to boot regardless. Android's safe mode is a nice airbag for this. If you don't like trade-off you can lock the bootloader but leave OEM unlocking enabled. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
ghost
Jun 14, 2016
I think OEM unlocking by itself isn't a problem. The fact that it triggers a data wipe is to protect the users data.
As you said, without access to the system (user forgets his screen lock password) the phone is bricked. I'm not sure if that's really something you'd want. It sure is a nice anti-theft feature, but at the same time it can cause a lot of trouble. Perhaps not that much of an issue with fingerprint readers, but still. I have plenty of old phones laying around for which I don't remember the screen lock, but I could just reset them whenever I need them.
ghost
commented
Jun 14, 2016
|
I think OEM unlocking by itself isn't a problem. The fact that it triggers a data wipe is to protect the users data. As you said, without access to the system (user forgets his screen lock password) the phone is bricked. I'm not sure if that's really something you'd want. It sure is a nice anti-theft feature, but at the same time it can cause a lot of trouble. Perhaps not that much of an issue with fingerprint readers, but still. I have plenty of old phones laying around for which I don't remember the screen lock, but I could just reset them whenever I need them. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 14, 2016
Contributor
So don't disable the OEM unlocking toggle. It's a choice. There's no reason for it to exist if data wiping is exposed in recovery.
|
So don't disable the OEM unlocking toggle. It's a choice. There's no reason for it to exist if data wiping is exposed in recovery. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Oct 15, 2016
Contributor
Not planning on implementing this. It doesn't really offer a substantial reduction in attack surface, and it removes a way to recover devices as a last resort (i.e. using our signing keys to wipe them).
|
Not planning on implementing this. It doesn't really offer a substantial reduction in attack surface, and it removes a way to recover devices as a last resort (i.e. using our signing keys to wipe them). |
subproc commentedMay 28, 2016
could be a security feature having a password (or pin or fingerprint,...) to access the recovery? 'cause now everyone can start the phone in recovery an try to hack it...or not?