Replying to e76e7052...

So, I’m reading through https://grapheneos.org/faq#security-and-privacy and see “the baseband is isolated on all of the officially supported devices” … were GrapheneOS Pixels effected by the Samsung baseband remote code execution vulnerabilities Project Zero disclosed earlier this year?

Avatar
MetropleX [GrapheneOS] ⚡🟣 2y ago

All Pixels were however, once an attacker has taken over a baseband via a remote code execution exploit, they could potentially have another exploit for the OS. Hardening the OS including drivers against exploitation from hardware components is often overlooked. Drivers can accidentally trust hardware.

GrapheneOS can't directly harden the firmware/hardware itself, but we do harden the OS against being taken over from compromised firmware/hardware in these situations.

Therefore on the OS level it was mitigated against yes.

Then once the patches were available we rolled them out instantly.

Something you need to be aware of though is while this particular exploit received a lot of attention, things like this are commonly found in security bulletins and updates and can only deal with known knowns not known unknowns. The latter requires constant vigilance and GrapheneOS goes a long way in ensuring best protection from them. We are not currently aware of any in rhe wild vectors compromising the OS.

Reply to this note

Please Login to reply.

Discussion

Avatar
MetropleX [GrapheneOS] ⚡🟣 2y ago

It is that very isolation via IOMMU that enables this.

e7
e76e7052... 2y ago

Thank you for this great response. I really appreciate it. I think you’ve convinced me to try graphene as my next phone OS. 🖤🔒

Avatar
Cyphernomad 2y ago

I’ve been running it for about a year now and I like it.

e7
e76e7052... 2y ago

Cool! What did you use prior to GrapheneOS?