Build server compromise is not enough to get access, must compromise signing infra. No competent enough prod OS / firmware signing infra is online, all build infra is.
Definitely not quicker, but you can reuse an image on any phones you recover, so pretty effective? Not sure I'm sold that this is harder than compromising some escrow infrastructure, is that the main argument?
-
-
I agree that an attacker that could get a beachhead inside a hardware/os provider and sneak in a vuln into source control that isnt caught via code review and other means could create a back door that would get signed.
-
I also agree that if there was no downgrade protection in the platform that would be a persistent attack vector for the attacker. I believe that’s the argument you are making of so we are on the same page here.
- 27 more replies
New conversation -
-
-
are you talking about compromising once or continual compromise of the build server? (because the former is thwarted by rollback prevention.)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.