• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
UBports Robot Logo UBports Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Security on UT

Scheduled Pinned Locked Moved General
35 Posts 9 Posters 6.1k Views 4 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dobey @trainailleur
      last edited by 19 Jun 2020, 21:55

      @trainailleur said in Security on UT:

      Ubuntu Touch has unencrypted data and adb always on in recovery, so anyone who knows the adb command is going to extract your data quite easily.

      Even if adb was off, the bootloader cannot be re-locked either, so one could simply flash TWRP and use adb with it instead.

      And even if it had FDE today, using dm-crypt, the key and data would be stored on the same media, so combined with the previously mentioned lack of lockable bootloader, an attacker could just copy the wrapped key and image data off the device, and brute force decryption externally.

      T 1 Reply Last reply 19 Jun 2020, 23:28 Reply Quote 1
      • T Offline
        trainailleur @dobey
        last edited by trainailleur 19 Jun 2020, 23:28

        @dobey said in Security on UT:

        Even if adb was off, the bootloader cannot be re-locked either, so one could simply flash TWRP and use adb with it instead.

        Yes, I first tried this once, long ago, when I was curious how readable the Android-based UT devices were. It was only later that I realized the stock recovery had it enabled too. πŸ™‚

        And even if it had FDE today, using dm-crypt, the key and data would be stored on the same media, so combined with the previously mentioned lack of lockable bootloader, an attacker could just copy the wrapped key and image data off the device, and brute force decryption externally.

        Indeed. Hence the general recommendation for extremely long and complex LUKS passphrases these days.

        D 1 Reply Last reply 20 Jun 2020, 03:05 Reply Quote 0
        • D Offline
          dobey @trainailleur
          last edited by 20 Jun 2020, 03:05

          @trainailleur said in Security on UT:

          Indeed. Hence the general recommendation for extremely long and complex LUKS passphrases these days.

          Yes, which absolutely nobody ever wants to have to actually remember with their brain or type on a phone screen.

          There's a reason that storing the key on separate media (hardware backed encryption keys in android) and avoiding extraneous user interaction is preferred by both Android and iOS now.

          T ? 2 Replies Last reply 20 Jun 2020, 04:53 Reply Quote 0
          • T Offline
            trainailleur @dobey
            last edited by 20 Jun 2020, 04:53

            @dobey said in Security on UT:

            Yes, which absolutely nobody ever wants to have to actually remember with their brain or type on a phone screen.

            There's a reason that storing the key on separate media (hardware backed encryption keys in android) and avoiding extraneous user interaction is preferred by both Android and iOS now.

            Correct Horse Battery Staple is a good start, and its entropy can be improved on considerably whilst still remaining memorable. That's something I can live with in the absence of perfection. πŸ™‚

            D 1 Reply Last reply 20 Jun 2020, 14:40 Reply Quote 0
            • ? Offline
              A Former User @dobey
              last edited by 20 Jun 2020, 08:38

              @dobey Before I start writting this post I did some reading.
              https://sensorstechforum.com/ubuntu-touch-os-is-it-secure-enough-and-should-you-use-it/
              It is from 2016.
              So today, the biggest issue is with adb and the bootloader, as far I understand.
              How did the things changed from 2016 ? Would the PinePhone make a change regarding this?

              A D 2 Replies Last reply 20 Jun 2020, 11:18 Reply Quote 0
              • ? Offline
                A Former User @trainailleur
                last edited by 20 Jun 2020, 08:42

                @trainailleur So the biggest concern is if someone get fizical access to the device? I understood right?

                D 1 Reply Last reply 20 Jun 2020, 14:41 Reply Quote 0
                • A Offline
                  arubislander @Guest
                  last edited by 20 Jun 2020, 11:18

                  @C0n57an71n said in Security on UT:

                  @dobey Before I start writting this post I did some reading.
                  https://sensorstechforum.com/ubuntu-touch-os-is-it-secure-enough-and-should-you-use-it/
                  It is from 2016.
                  So today, the biggest issue is with adb and the bootloader, as far I understand.
                  How did the things changed from 2016 ? Would the PinePhone make a change regarding this?

                  That article didn't make much sense to me to be honest. The security issues it mentioned were either not limited to or able to be mitigated by the phone OS, or not clearly explained why they were seen to be security issues.

                  πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                  Happily running Ubuntu Touch
                  Google Pixel 3a (20.04 DEV)
                  JingPad (24.04 preview)
                  Meizu Pro 5 (16.04 DEV)

                  T 1 Reply Last reply 20 Jun 2020, 16:48 Reply Quote 0
                  • D Offline
                    dobey @Guest
                    last edited by 20 Jun 2020, 14:35

                    @C0n57an71n I don't think that accurately applies to UT, and honestly I'd never seen it before anyway.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dobey @trainailleur
                      last edited by 20 Jun 2020, 14:40

                      @trainailleur That may be true, but having to type that every time you pick up your phone to do something is going to become very tiring, very quickly. It's also going to be easy to make a mistake while typing, and with proper measures to prevent brute force attacks, could lead to loss of data; while at the same time, not preventing the copying of key/data off to attack with much more powerful hardware.

                      T 1 Reply Last reply 20 Jun 2020, 16:34 Reply Quote 0
                      • D Offline
                        dobey @Guest
                        last edited by 20 Jun 2020, 14:41

                        @C0n57an71n said in Security on UT:

                        @trainailleur So the biggest concern is if someone get fizical access to the device? I understood right?

                        Yes. The point of encrypting the storage, is to protect data when the attack has gained physical access.

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          trainailleur @dobey
                          last edited by trainailleur 20 Jun 2020, 16:34

                          @dobey said in Security on UT:

                          @trainailleur That may be true, but having to type that every time you pick up your phone to do something is going to become very tiring, very quickly. It's also going to be easy to make a mistake while typing, and with proper measures to prevent brute force attacks, could lead to loss of data; while at the same time, not preventing the copying of key/data off to attack with much more powerful hardware.

                          No, as typically implemented by Linux distros (including Ubuntu), you only type a luks passphase once between boots, prior to the mounting of the filesystem it contains. Your login and screen unlock passwords can be as long or short as you want them to be. The idea is that a running system should be cagey enough to resist a break-in but that a non-running system - at least on legacy hardware - has very little to protect it. The situation of legacy PC hardware is somewhat analogous to phones with unlocked bootloaders. Postmarket's osk-sdl is a small onscreen keyboard to serve exactly this purpose. (It looks like it is slated for their Community Edition PinePhone, incidentally.)

                          Yes, a running or even non-running system that is captured could be subject to a cold-boot attack and memory dump, but that is far from 100% reliable, and filesystem encryption remains a high barrier to intrusion.

                          1 Reply Last reply Reply Quote 0
                          • T Offline
                            trainailleur @arubislander
                            last edited by 20 Jun 2020, 16:48

                            @arubislander said in Security on UT:

                            That article didn't make much sense to me to be honest. The security issues it mentioned were either not limited to or able to be mitigated by the phone OS, or not clearly explained why they were seen to be security issues.

                            Not to mention that a misconception that Ubuntu Touch would be identical to mainstream Ubuntu is one of the core assumptions of the article. There is no indication that the report the article is cribbing from made that assumption - or even discussed Ubuntu Touch at all - and the link to it is dead so it can't be checked now. I suspect this was a wishful thinking fluff piece by someone who knew very little about UT.

                            ? 1 Reply Last reply 20 Jun 2020, 17:10 Reply Quote 1
                            • ? Offline
                              A Former User @trainailleur
                              last edited by 20 Jun 2020, 17:10

                              @trainailleur There where another articel that was refering to the same test done in UK. I will try found it again if you are curios.

                              T 1 Reply Last reply 20 Jun 2020, 18:26 Reply Quote 0
                              • T Offline
                                trainailleur @Guest
                                last edited by trainailleur 20 Jun 2020, 18:26

                                @C0n57an71n said in Security on UT:

                                @trainailleur There where another articel that was refering to the same test done in UK. I will try found it again if you are curios.

                                I found the actual UK evaluation on the Wayback Machine. As suspected, there is no mention of Ubuntu Touch at all:

                                End User Devices Security Guidance: Ubuntu 12.04

                                The article you linked was indeed wishful thinking and bad extrapolation.

                                (Anyone interested in reading this may want to act fast, as the Internet Archive is currently under threat of being sued into oblivion.)

                                1 Reply Last reply Reply Quote 0
                                31 out of 35
                                • First post
                                  31/35
                                  Last post