Jump to content
okayphoneme

Can the bootloader be locked?

Recommended Posts

I understand that the Pro1 comes with an unlocked bootloader. This is great for installing other operating systems, but leaving the bootloader unlocked is a massive security liability. Is it possible to lock down the bootloader?

Share this post


Link to post
Share on other sites

yes, you can lock it via adb/fastboot.

reboot to bootloader.

adb reboot bootloader

then you can lock it via fastboot

fastboot oem lock

this one worked for my actual phone, if it throws an error try one of those

fastboot oem relock

fastboot flashing lock

if no error occured you can reboot with 

fastboot reboot



but be aware that unlocking the bootloader again will wipe you phone.

Edited by mcdinner
addition
  • Thanks 6

Share this post


Link to post
Share on other sites
37 minutes ago, mcdinner said:

yes, you can lock it via adb/fastboot.

reboot to bootloader.

adb reboot bootloader

then you can lock it via fastboot

fastboot oem lock

this one worked for my actual phone, if it throws an error try one of those

fastboot oem relock

fastboot flashing lock

if no error occured you can reboot with 

fastboot reboot



but be aware that unlocking the bootloader again will wipe you phone.

Awesome, thanks!

Share this post


Link to post
Share on other sites
9 hours ago, okayphoneme said:

I understand that the Pro1 comes with an unlocked bootloader. This is great for installing other operating systems, but leaving the bootloader unlocked is a massive security liability. Is it possible to lock down the bootloader?

How? Are you saying that rootkits/bootkits for Android are a thing? Otherwise, what is the harm? As I see it, the only thing that a locked bootloader hinders is customization.

Share this post


Link to post
Share on other sites
59 minutes ago, silversolver said:

How? Are you saying that rootkits/bootkits for Android are a thing? Otherwise, what is the harm? As I see it, the only thing that a locked bootloader hinders is customization.

The harm is that someone can install stuff on your phone if they have physical access to it. In the past, there have been attacks where crypto keys were recovered from unlocked devices (and locking it would have protected against the attack), for example.

Share this post


Link to post
Share on other sites
1 hour ago, okayphoneme said:

The harm is that someone can install stuff on your phone if they have physical access to it. In the past, there have been attacks where crypto keys were recovered from unlocked devices (and locking it would have protected against the attack), for example.

No one with physical access to my devices is smart enough to install a game since I disable or remove every single Google thing on it, including the store. :O You're worried about so-called "evil maid" attacks, apparently. I'm not worried about that, and would hardly call it a security nightmare under normal usage, but it is nice to know that locking the bootloader is possible for those who wish it. The folks at F(x)tec promised a device that could be customized to virtually anyone's wishes, and they really have delivered. Bravo! Now to get mine........:O Whenever that package arrives it'll be Christmas, my birthday, and payday all at once. :)

  • Like 2

Share this post


Link to post
Share on other sites

I think more likely if a "bad guy" got ahold of my pro1, they'd be more likely to steal it, than install malware on it.

 I've always kept my smartphones unlocked, didn't even know there was any risk involved.  And now that I know there is, I'm willing to take that risk.

It's like that write protect jumper on some pc motherboards for bios; first time I remove it to flash bios, I never bother putting it back, and I'd imagine that's riskier than not relocking android bootloader.

  • Like 1

Share this post


Link to post
Share on other sites

Wouldn't simple encryption stop any sort of attack that you could achieve via an unlocked bootloader? You can't change the ROM to something similar but with added software if you can't de-encrypt the current ROM. Best you can do is change it to something similar, but that should be noticed. I don't get how it's an issue.

 

  • Like 1

Share this post


Link to post
Share on other sites

Whenever anyone raises these concerns about security, there are always folks who chime in to say they don't mind the risks, and that is perfectly fine and understandable, and maybe it is a reasonable position to take if you don't put sensitive things on your phone, but I for one care about security and privacy and you need a strong foundation to build these things on.

Encryption only covers user data, not the system files, and as I mentioned above, there are attacks which may be able to extract keys from a device with an unlocked bootloader. Most Android users are using PINs / patterns or weak passwords and so the encryption is worthless to someone with a bit of knowledge and determination.

PCs are of course at risk too, I can't argue with that, but at least I can physically protect my PC and I can encrypt the entire system.

  • Thanks 1

Share this post


Link to post
Share on other sites
32 minutes ago, okayphoneme said:

Encryption only covers user data

Didn't know that, I figured full disk encryption is full disk encryption, but apparently Google disagrees. Yeah, then I can see it being a problem.

Share this post


Link to post
Share on other sites
On 11/23/2019 at 7:56 AM, okayphoneme said:

Whenever anyone raises these concerns about security, there are always folks who chime in to say they don't mind the risks, and that is perfectly fine and understandable, and maybe it is a reasonable position to take if you don't put sensitive things on your phone, but I for one care about security and privacy and you need a strong foundation to build these things on.

Encryption only covers user data, not the system files, and as I mentioned above, there are attacks which may be able to extract keys from a device with an unlocked bootloader. Most Android users are using PINs / patterns or weak passwords and so the encryption is worthless to someone with a bit of knowledge and determination.

PCs are of course at risk too, I can't argue with that, but at least I can physically protect my PC and I can encrypt the entire system.

The thing that puzzles me is how an attacker would get it away from you long enough to do something with it. If you lost it, the odds of it getting to someone who desired something beyond a free phone is fairly low, and if it's with you, near zero. It's definitely a risk I'm willing to take. Then again, I don't keep much on my phone and don't lock it or my key-in-ignition vehicles or my house because I live in a reasonably safe area, and other people might live in an area where phones are routinely stolen at gunpoint, and have sensitive data on their phone, and feel the need to take additional steps.

If my account starts posting spam suddenly, someone stole my phone. :O

  • Haha 2

Share this post


Link to post
Share on other sites
5 minutes ago, silversolver said:

The thing that puzzles me is how an attacker would get it away from you long enough to do something with it. If you lost it, the odds of it getting to someone who desired something beyond a free phone is fairly low, and if it's with you, near zero. It's definitely a risk I'm willing to take. Then again, I don't keep much on my phone and don't lock it or my key-in-ignition vehicles or my house because I live in a reasonably safe area, and other people might live in an area where phones are routinely stolen at gunpoint, and have sensitive data on their phone, and feel the need to take additional steps.

If my account starts posting spam suddenly, someone stole my phone. 😮

The FBI arrests you and you have incriminating evidence stored on your phone, if the bootloader is unlocked they will likely not have too much of a hard time to get in.

  • Thanks 1

Share this post


Link to post
Share on other sites
2 minutes ago, netman said:

The FBI arrests you and you have incriminating evidence stored on your phone, if the bootloader is unlocked they will likely not have too much of a hard time to get in.

Haha, if the FBI wants your data, they'll get it whether the bootloader is locked or not LOL! My strategy is to not do things which would attract their attention. :P

Edited by silversolver
comment
  • Thanks 1
  • Haha 1

Share this post


Link to post
Share on other sites
2 minutes ago, silversolver said:

Haha, if the FBI wants your data, they'll get it whether the bootloader is locked or not LOL! My strategy is to not do things which would attract their attention. 😛

Well the point is someone could take the phone while you have secrets inside, and if you have the bootloader locked and the filesystem encrypted it may be very hard to get to that data while otherwise it is not.

Share this post


Link to post
Share on other sites
1 minute ago, netman said:

Well the point is someone could take the phone while you have secrets inside, and if you have the bootloader locked and the filesystem encrypted it may be very hard to get to that data while otherwise it is not.

My life is an open book. However, for those who do have a need to keep secret data on their phone for some reason, certainly the steps you suggest might be prudent.

Share this post


Link to post
Share on other sites
Just now, silversolver said:

My life is an open book. However, for those who do have a need to keep secret data on their phone for some reason, certainly the steps you suggest might be prudent.

I think the majority of people has at least some levels of secret on their phones, ranging from credit card numbers to naughty pictures and passwords.

Share this post


Link to post
Share on other sites

So, actual question: What exactly is preventing someone from - you know - just unlocking the boot loader after you locked it? Last time I checked all you needed was a code from the company that manufactured the device. Which anyone can get a hold of fairly easily (all you need is the IMEI of the device).

Share this post


Link to post
Share on other sites
2 minutes ago, SteffenWi said:

So, actual question: What exactly is preventing someone from - you know - just unlocking the boot loader after you locked it? Last time I checked all you needed was a code from the company that manufactured the device. Which anyone can get a hold of fairly easily (all you need is the IMEI of the device).

You have to unlock the phone to unlock the bootloader with  that code (or without, many devices don't need a code). There's no easy way to bypass the lockscreen if it is set up for pattern lock or the likes, at least when the bootloader is locked.

Share this post


Link to post
Share on other sites
53 minutes ago, SteffenWi said:

So, actual question: What exactly is preventing someone from - you know - just unlocking the boot loader after you locked it? Last time I checked all you needed was a code from the company that manufactured the device. Which anyone can get a hold of fairly easily (all you need is the IMEI of the device).

Your phone will be completely wiped, so you should recognize if there was some tampering in place.

  • Thanks 2

Share this post


Link to post
Share on other sites
On 11/23/2019 at 1:30 PM, Zamasu said:

Didn't know that, I figured full disk encryption is full disk encryption, but apparently Google disagrees. Yeah, then I can see it being a problem.

Your phone has to be decrypted to boot, so it would have to hold the key and essentially be useless if somebody can get to the bootloader.  If the key is your pin, the firmware/os managing that input is vulnerable to evil maid via unlocked bootloader.

These are extremely unlikely to affect many people who keep hold of the device most of the time.  But some people do have things to hide, and should be relieved that they have the option of locking the bootloader.  And that if anyone tries to unlock it it would wipe the phone.

Some companies will not permit you to to sign in with your company credentials unless the phone is running the latest patched OS, will have device policy apps installed and will require a locked bootloader.

  • Like 2

Share this post


Link to post
Share on other sites
2 hours ago, mcdinner said:

Your phone will be completely wiped, so you should recognize if there was some tampering in place.

huh, I seemed to have forgotten that. Thanks for reminding me :).

  • Like 1

Share this post


Link to post
Share on other sites
12 hours ago, silversolver said:

The thing that puzzles me is how an attacker would get it away from you long enough to do something with it

Just go through US customs. They search and clone phones routinely on a random basis.

Share this post


Link to post
Share on other sites
48 minutes ago, abielins said:

Just go through US customs. They search and clone phones routinely on a random basis.

The Supreme Court just smacked them down hard on that. I believe that they did the right thing, although many people with whom I generally agree are weeping about it. Funny world....

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

Terms