Proposal: Make bespoke Android firmwares designed to be difficult to remove, distribute them to infosec people, and challenge them to install the firmware then uninstall it again as a hacking challenge. You could call it an escape ROM
6
20
216
Conversation
Replying to
What would make it "difficult to remove" anyway? Wouldn't replacing the recovery with "vanilla" Recovery/TWRP and then flashing a new image, remove it?
2
You can have them lock the bootloader and then have the OS disable OEM unlocking so it can't be unlocked again without compromising the early boot chain or the OS. This is how Factory Reset Protection functions with the stock OS. It stores an account id that's needed on boot.
1
If you could simply unlock and flash another OS, then you could trivially bypass FRP. OEM unlocking toggle needs to be enabled in the OS before you can do that which is how this works. Most devices don't properly support locking + using verified boot for another OS but Pixels do.
1
1
You can play 's proposed CTF game with the stock Pixel OS. Log into an account in the OS, make sure OEM unlocking is disabled, factory reset the device and it's a fresh install with an account id in the frp data section on the Titan M secure element.
2
2
6
Google will pay bounties for the kinds of exploits needed to bypass it.
bughunters.google.com/about/rules/61
Could make it as hard as possible by flashing an OS that's simply a tiny payload disabling OEM unlocking, i.e. it's bricked it by flashing it and locking unless they have an exploit.
1
1
4
The point of the stock OS approach is that even if a thief wipes a stolen device via recovery, it's still tied to the account. They either need to exploit the OS or get valid credentials for that account. Advanced Protection Program makes it much harder to do that via support.
I read it as needing to be "easily" solved, (and thus likely without early boot exploits )
1
For a normal Android OS, the requirement is essentially getting root or system level access in the OS. Exploiting the Settings app would be enough, although that's harder than other approaches. It's essentially a compromise the OS CTF. Simply remove the OEM unlocking toggle.
1
Show replies
It avoids having users brick their device if they forget their unlock method while still providing strong anti-theft protection. Strength of this varies based on the OS, firmware and hardware security along with Google account security for that approach but can do it another way.
2