Legacy Android Devices Security -- Who is the Adversary?

Talking about proper Android security gives another opportunity to make my old joke “one sentence → blog entry finished”
Get a Google Pixel from series 8 or 9, install GrapheneOS, done.

End of blog entry.
Thanks for reading.
Nah. It’s getting old. There is much more to say than this.

GrapheneOS (GOS) developers are surely doing technical things as correctly as possible. No half measures!

Example: No support for old devices because the firmware/closed source part doesn’t get any updates anymore from the manufacturer (I will not even cover the extensive list of features devices must have to be considered for GOS support). This is certainly correct on factual level – lots of unpatched known security vulnerabilities on old devices. But I *want* to use old devices and such performing way worse from security point of view than current Pixel phones.

There are still questions to ask:
  • Are firmware patches and AVB important for a particular use case?
  • Should old and/or insecure devices be simply discarded?
I say: No, they should not be discarded and I personally would not overestimate the impact of AVB, which GOS empathizes a lot. While surely a powerful feature when implemented correctly, it won't magically get rid of certain attacks (see below).

Extreme example: I’ve got an old Samsung tablet, model SM-T550. There is pretty much everything wrong with it from the perspective of “no half measures”. It isn’t even close to being 10% correct. A security expert might just say: 🔥“Pour gasoline on it and burn it!”🔥
SM-T550.png


Additionally the bootloader of this tablet was *never* locked in the first place. Odin flashing custom binaries worked without deleting userdata first. Even worse I have a custom recovery and Magisk installed (not that it changes anything given that it was never locked). Only indication one had after such an attack was carefully observing Knox warranty status.

Maintain a clear view of likely(!) risks.


While I’m at improving my technical computer security and learning something new daily (bought a new PC just for Qubes OS and a used Google Pixel 8a for GOS) I’m still using this old tablet almost every single day. Because it is good enough for some things. I'm consciously accepting certain risks.
Why?
Most Android malware in the wild isn’t a sophisticated targeted attack exploiting an outdated (device specific) firmware/vendor part. Only thing I’ve personally seen are Trojan horses asking the biggest security hole (aka the user) to grant accessibility privileges. Actually doing so is a Game Over on any OS no matter how secure it was before. Of the shelf malware will most likely target known vulnerabilities in the browser or the OS – at best. Again, Trojan horses are much more likely.

Well. The virtual shotgun distribution method will most likely not work thanks to current browser and somewhat patched OS.

I’m not a primary target justifying usage of expensive exploits. This old tablet is only used for two things: Quickly reading news pages on up to date browser and studying facepalm-worthy religious texts¹ (Bible, Qua-ran). There is virtually no data on it but nevertheless full disk encryption is active using 16 char random password – Android doesn’t allow longer passphrases. Tablet is shutdown (before first unlock, BFU) and set to secure startup whenever not in use. Yes, it is that old. Android full disk encryption and secure startup is something not heard very often anymore since all newer devices use file based encryption nowadays.

Who is the adversary for the tablet?


  • Trojan horses → Not installing garbage and not granting dangerous privileges
  • Drive-by downloads → Unlikely to work, network wide crap blockage, up to date browser
  • Clueless burglars → Good luck breaking the encryption, even though not hardware backed like on modern devices. If anybody actually wastes their energy (extremely unlikely) on this instead of just formatting /dataand succeeds (even more unlikely), they will be disappointed by getting to see… absolutely nothing
    • The abundance of old, partially vulnerable but encrypted stuff in my house even serves as decoy keeping a more serious attacker busy. Just the imagination that computer forensics waste time and effort on breaking into empty computers is amusing. :creep:
    • No, encryption passphrases gained from my vulnerable devices are not useful when attacking my more important machines.
The security of my aged SM-T550 is somewhat improved compared to the completely unmaintained stock operating system. At the same time usability is *greatly* improved because the extremely old stock OS isn’t supported by many apps anymore.

What would be the consequences of a full security breach on that tablet?


One should also take in account the consequences of security breach. Will something really bad happen or are the consequences manageable?

What happens in case an adversary becomes root remotely on my Tab A? There is no banking, no credit card, no shopping, no accounts, no contacts, no personal data, no passwords, not even a boring browser history. One could maybe try further attacks on other devices in my home network while risking getting noticed. Any attacker still had to conquer the more important, (hopefully) properly secured, computers. :unsure:

Maybe I should outsource insecure computers to a different network. There is still much to do…

My Final Verdict: Tablet good enough for the purpose!


The advantages (getting lots of devices for almost no money) outweigh the small risks by far. This tablet is just an example. I’ve more devices like that for special purposes (even offline). One old phone with LineageOS 14.1 in airplane mode only serves as speedometer on my bicycle. Another one serves as offline audio book player. I dislike trashing a perfectly working system.

I heavily rely on compartmentalization, strictly keeping important and unimportant things separate (different physical machines, different virtual machines). This way I have no need to install a ton of software (attack surface) on an important device. I surely don’t want a Bible app or some random games on my Pixel phone or my main PC.

Look further than device security…


Okay, now I'll jump to the serious attacks. A very quick look on really extreme attacks and why GOS alone – even with all it's cool security features – isn't the ultimate answer.

Don't focus only(!) on the technical part (“Is my device secured as good as possible against known and unknown exploit attempts?”). Be aware of other entrypoints as well. If you are a target, the attacker will not limit themselves on trying to break the strongest link in your chain (like exploiting GOS).

A physically secured PC (anti-tamper, tamper evident) and Android AVB might counter Evil Maid Attacks on the devices itself. But it is of no use if you get careless and Miss Maid just installs a tiny camera to spy your passphrase.

Being aware of all technical parts, even securing your house against stealth entry in most paranoid ways to prevent Evil Maid Attacks, is of no use if a malicious (state) actor decides to torture you until you reveal all credentials. See the classic XKCD comic: https://xkcd.com/538/

Computer security for the sake of securing things is a fun hobby with so many cool things to learn, but not sufficient to be "fully" secure. Having done everything from technical point of view is also a way of getting a false sense of security – as much as believing simply installing a recent unofficial LineageOS on outdated hardware will solve all of your problems.

In this sense: Do the best you can with acceptable effort, keep things separate and don't throw away working computers. Think of environmental protection.





__________________
¹ Depending on the country certain religious texts might be a huge risk requiring good security, but in Germany this is currently not an issue.
  • Like
Reactions: Exnor

Comments

There are no comments to display.

Blog entry information

Author
KleinesSinchen
Views
85
Last update

More entries in Personal Blogs

More entries from KleinesSinchen

Share this entry

General chit-chat
Help Users
  • No one is chatting at the moment.
    Kirbydogs @ Kirbydogs: @SonicMan44 https://upload.wikimedia.org/wikipedia/en/5/53/Snoopy_Peanuts.png can you make me a...