GrapheneOSGoogle has awarded bounties of $5000, $3000 and $250 for our 3 vulnerability reports related to physical data extraction attack vectors. Both $5000 and $3000 issues are being exploited in the wild. $250 bounty is for a minor issue we found while doing general USB hardening work.
Most serious issue is the one with a $3000 bounty. We provided proof of in the wild exploitation and a proposal for preventing exploiting the class of vulnerabilities which is being implemented. For the one they're awarding $5000, we weren't sure they'd even consider it a bug.
The most serious issue is likely only getting $3000 because we do not know the specific bug being exploited. It was classified a low quality report, not because we did a bad job but because we don't have that info. We did provide a way to prevent getting data by exploiting it.
Our proposal for preventing getting data by exploiting the main issue should ship as a Pixel firmware update next month and the feature will become one of our baseline hardware requirements. It's already harder to use it with GrapheneOS and we've made major recent improvements.
Our recent improvements:
1) New USB-C port control setting integrated into the USB-C controller driver to disable USB at a hardware level. It will become "Charging-only when locked, except before first unlock" by default soon. Shipped in 2024022600: https://grapheneos.org/releases#2024022600.
Monew@GrapheneOS what does the “except before first unlock” mean? Is this every time the phone is started or just when the phone is set up for the first time?
@monew Each time the phone is booted and hasn't been unlocked yet.
@GrapheneOS @monew i am a bit confused, does this mean before the first unlock usb will be enabled or disabled?
@monew If you set it to "Charging-only while locked" it will only allow charging while locked. If you set it to "Charging-only while locked, except before first unlock" it will allow more than charging before first unlock, and then it will only allow charging while locked.
@GrapheneOS @monew Okay, thanks!