Their exploit is only for Android 8-9 since they say exploiting Android 10 is harder so there's already a catch before GrapheneOS hardening comes into play. If you want to pay a security researcher to revert fixes for old vulnerabilities and analyze impact of hardening, go ahead.
Conversation
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Bluetooth is already disabled by default in GrapheneOS. Leave it disabled and remove the quick settings entry so you don't toggle it on by accident. This isn't a good reason to make alternate builds of the OS. That requires substantial resources and wouldn't make much sense.
1
1
GrapheneOS can't have assorted variants of the official builds disabling different combinations of features. Our resources are already stretched thin and we're considering dropping support for devices without maintainers. Can't be maintaining variants of the official releases.
1
There's tons of work that needs to be done:
github.com/GrapheneOS/os_
github.com/GrapheneOS/Van
github.com/GrapheneOS/Aud
github.com/GrapheneOS/Att
github.com/GrapheneOS/har
github.com/GrapheneOS/Pdf
Can't afford to lose a day per month making builds removing a disabled-by-default feature.
2
2
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
So either leave Bluetooth enabled or don't authorize apps to use it unless you trust them with it. The concerns you are raising don't make sense to me and I don't understand why you want special treatment for Bluetooth. We aren't making builds for things toggles handle just fine.
1
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Doesn't make sense. You're saying you're worried about attacker with local code execution on the device that's succeeding escalating privileges to the point that they can bypass the permission model / sandbox and change settings. Why focus on Bluetooth over the 3 other radios?
2
1
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Contact tracing in other operating systems doesn't impact GrapheneOS even if GrapheneOS users make use of Bluetooth. GrapheneOS is never going to force contract tracing on people. If you want GrapheneOS to do something it has to make sense and have a real threat model.
Does not make sense to be concerned about disabled Bluetooth support unless what you want is a hardware kill switch for all forms of powerful data exfiltration including all the radios and speakers. Even then, it has a very limited scope / threat model where it counters anything.
1
The attacker's code will export data as soon as possible and a hardware kill switch for all powerful forms of data exfiltration can only delay it rather than preventing it. Very limited scope for that to be useful. Probably a better idea to just turn off the device in most cases.
1
1