Conversation

This especially affects used phones. How does a non-technical buyer know whether it is pre-rooted/jailbroken or not?

Quote Tweet

Jan 24, 2019

The 'returned product attack' here - buy, replace the firmware, return and hope someone else buys it - is a real-world evil maid attack, and speaks very much to why we need secure boot on IoT systems. Supply chain security is more complex that 'just' up to FOB delivery. twitter.com/CANcrypt/statu…

Replying to

Thought about doing this as a research project many many years ago, but decided it didn't have research value and would likely be a lot of trouble to actually do. This was after buying heaps of used Android phones on eBay and finding all kinds of things on them.

Replying to

and

attestation.app/about is able to check for that kind of tampering. If it's a sophisticated attack, they could have a verified boot bypass via an exploit triggered during the verification process on boot, but attestation can detect the device isn't updated if it's only OS level.

Replying to

and

Nice new domain for this (or at least, new to me)! Would be great to see some iOS support for this kind of thing also.

Replying to

and

The ideal case would be for sending a phone through the mail, where the person sending it sets up pairing with the person receiving it before sending it. That gives it the full strength it's meant to have and something similar could be done for iOS with hardware-backed keys.

2:32 PM · Jan 24, 2019Twitter Web Client

Replying to

and

I don't think iOS has something like key attestation or a way to do remote attestation though. It's just not one of the APIs that's available, so an equivalent to the app can't really be made for it. The Android APIs for it aren't perfect but they're useful and getting better.

Replying to

and

I bet they do just not exposed to the developer/user.

Show replies