Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Android Google Operating Systems Security Software Technology

Android Oreo's Rollback Protection Will Block OS Downgrades (androidpolice.com) 119

jbernardo writes: Google is using the boiling frog method to exclude power users and custom ROMs from android. A new feature in Android 8.0 Oreo, called "Rollback Protection" and included in the "Verified Boot" changes, will prevent a device from booting should it be rolled back to an earlier firmware. The detailed information is here. As it rejects an image if its "rollback index" is inferior than the one in "tamper evident storage," any attempts to install a previous version of the official, signed ROM will make the device unbootable. Much like iOS (without the rollback grace period) or the extinct Lumias. It is explained in the recommended boot workflow and notes below, together with some other "smart" ideas.

Now, this might seem like a good idea at first, but let's just just imagine this on a PC. It would mean no easy rollback from windows 10 to 7 after a forced installation, and doing that or installing linux would mean a unreasonably complex bootloader unlocking, with all your data wiped. Add safetynet to the mix, and you would also be blocked from watching Netflix or accessing your banking sites if you dared to install linux or rollback windows. To add insult to injury, unlocked devices will stop booting for at least 10 seconds to show some paternalist message on how unlocking is bad for your health: "If the device has a screen and buttons (for example if it's a phone) the warning is to be shown for at least 10 seconds before the boot process continues." Now, and knowing that most if not all android bootloaders have vulnerabilities/backdoors, how can this be defended, even with the "security/think of the children" approach? This has no advantages other than making it hard for users to install ROMs or to revert to a previous official ROM to restore missing functionality.

This discussion has been archived. No new comments can be posted.

Android Oreo's Rollback Protection Will Block OS Downgrades

Comments Filter:
  • not evil (Score:5, Funny)

    by rogoshen1 ( 2922505 ) on Wednesday September 06, 2017 @06:21PM (#55150591)

    No really guys, just look at our motto!

    • Re:not evil (Score:4, Informative)

      by cjjjer ( 530715 ) <cjjjer.hotmail@com> on Wednesday September 06, 2017 @07:16PM (#55150789)
      When Alphabet took over they removed that motto from their code of conduct in 2015 so they are free from "doing no evil" for 2 years now...
      • Alphabet never "took over". It is still the Larry, Segey and (to a lesser extent) Eric show, nothing changed. This always was who they were.

    • Downgrade attacks were a problem with old Sambas, so it's a real concern. Google just did the mitigation badly.

      Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity"

      • If the next version of the OS is found to have a massive security bug after you install it, with no work-around in sight, the logical temp fix is to roll back to the prior version. Or if the new version blocks "Install other OS" or some other useful feature without prior warning, you might choose to reverse the install.
      • Hanlon's Razor:
        It means that the willfully malicious get a free pass by acting stupid or claiming stupidity, and teaches people the same. It's a hair away from victim shaming, where someone feels/knows that someone has done wrong but they're told,"Oh, it's ok that person is just stupid." What utter nonsense!
        I'm tired of Hanlon's Razor. It's totally bankrupt.

        • by davecb ( 6526 )

          Whereas to me it says "most things can be fixed, without needing to murder the person who caused it" (;-))

          In the specific case of Google, they repeat one particular stupid mistake every time they start something new: they assume that they've covered all the ways it can go wrong, and therefore don't need a customer support mechanism. This is a minor variation on that bit of arrogance.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      That's their OLD motto. The new one is "We build robots for the government."

  • by Opportunist ( 166417 ) on Wednesday September 06, 2017 @06:28PM (#55150605)

    Care to inform me why the fuck me, or anyone who has at least parts of his mental health remaining, would want to buy such a device?

    • by tepples ( 727027 ) <tepples.gmail@com> on Wednesday September 06, 2017 @07:00PM (#55150715) Homepage Journal

      If you're buying an Android device used, you want to know whether the previous owner hasn't installed malware that persists across an apparent factory reset. Popping up a "This device runs a custom operating system" notice while the bootloader is loading the kernel is an unobtrusive way of doing this.

      If you're buying an Android device, and you watch movies, you want a wide selection of movies. Google can do one of two things. It can keep its license from major movie and television studios to offer their works through Google Play by continuing to improve the digital restrictions management that deters copying a rented stream. Or it can lose its license and pull the works from Google Play, and end users will end up having to buy an iPod touch, iPhone, or iPad in order to continue to watch notable movies and television series once the licensed apps become iOS-exclusive.

      • by Anonymous Coward

        Or Google can ask the providers why Windows gets a pass.

        • by tepples ( 727027 ) <tepples.gmail@com> on Wednesday September 06, 2017 @09:09PM (#55151259) Homepage Journal

          Or Google can ask the providers why Windows gets a pass.

          Probably because it's easier to upgrade a random PC to the latest build of Windows 10 than to upgrade a random phone to the latest build of Android. This allows app developers to exclusively target a new feature update (such as Anniversary, Creators, or Fall Creators) where known holes in Protected Media Path and other digital restrictions management technologies in Windows 10 have been plugged.

          And no, Windows doesn't necessarily get a pass. No app (legally) plays UHD Blu-ray movies on Windows on a PC with a CPU older than Kaby Lake or an operating system other than Windows 10. You may also need to replace your motherboard with one that supports Intel SGX and your video card with one that supports AACS 2.0 and HDCP 2.2. (Source [extremetech.com]) Movie studios have put similar requirements on 4K streaming. (Source [extremetech.com])

      • by Kjella ( 173770 )

        Or it can lose its license and pull the works from Google Play, and end users will end up having to buy an iPod touch, iPhone, or iPad in order to continue to watch notable movies and television series once the licensed apps become iOS-exclusive.

        You mean after the major movie and television studios see a mysterious 80-90% drop in revenue and torrents get another vitality boost. There's no way they could afford dropping Android as a market, it's like saying that if we broke the protection on DVD/BluRay/UHD BluRay they'd stop selling discs and force us to the cinema. Everyone can see that's a bluff.

        • You mean after the major movie and television studios see a mysterious 80-90% drop in revenue

          How so? Last I checked [businessinsider.com], revenue from paid apps and IAPs per user is nine times as large on iOS compared to Android. This gap is so big that it more than offsets Android's larger user base.

          • Apple's market is rich people with more money than brain cells. Android's market is everyone else.

          • by AmiMoJo ( 196126 )

            The methodology in that article is flawed.

            They measure the revenue from Google Play vs. the Apple Store. However, Apple requires all payments to go through Apple. The Amazon app on iOS can't process any payments, it takes you to the Amazon web site instead. Everything has to go through Apple, including all in-app purchases.

            Google is far less restrictive. You can install entire alternative apps stores (and they are very popular in China and India). You can have your own payment systems, e.g. Amazon or Netfli

      • If you're buying an Android device used, you want to know whether the previous owner hasn't installed malware that persists across an apparent factory reset. Popping up a "This device runs a custom operating system" notice while the bootloader is loading the kernel is an unobtrusive way of doing this.

        If you're buying an Android device, and you watch movies, you want a wide selection of movies. Google can do one of two things. It can keep its license from major movie and television studios to offer their works through Google Play by continuing to improve the digital restrictions management that deters copying a rented stream. Or it can lose its license and pull the works from Google Play, and end users will end up having to buy an iPod touch, iPhone, or iPad in order to continue to watch notable movies and television series once the licensed apps become iOS-exclusive.

        I'm sorry to throw this in, but I don't "get" the "new" generation. If I want to watch a movie, I have a device at home that puts it on a large screen for me to sit on this thing called a "couch" and watch. The "need" to have a way to watch mobile-accessible versions of shows/movies/etc is scary. I also say this because I work at a place where productivity falls in departments under the top-level one (top-level department, that is) because people watch movies and shows at work. Their work contains error

        • I have a device at home that puts it on a large screen for me to sit on this thing called a "couch" and watch.

          A lot of such devices run Android OS. If Android loses movies, these users will switch to Apple TV.

          The "need" to have a way to watch mobile-accessible versions of shows/movies/etc is scary. I also say this because I work at a place where productivity falls in departments under the top-level one (top-level department, that is) because people watch movies and shows at work.

          For those not afflicted in the way you go on to describe at length, it's not about watching movies and TV shows at work as much as watching them on the bus or train ride to and from work. Or is it considered suspicious for an employee to get to and from work in any way other than a personal automobile?

    • Re: (Score:3, Informative)

      by hawguy ( 1600213 )

      Care to inform me why the fuck me, or anyone who has at least parts of his mental health remaining, would want to buy such a device?

      Probably because nearly all consumers have no interest at all in rooting their phone, installing a custom ROM, or even rolling back to a previous release. It's a very tiny subset of users that care about such things, not enough for most companies to care about serving them.

      • by Namarrgon ( 105036 ) on Wednesday September 06, 2017 @08:13PM (#55151085) Homepage

        As is made clear further down [googlesource.com], the rollback index does not prevent custom ROMs, old versions, or anything else from being installed IF the device's bootloader is unlocked - as has always been the case when installing custom ROMs.

        All it does is prevent locked devices from being downgraded (to a presumably less-secure version that could be exploited). Locked devices are locked for security, so this is entirely expected behaviour. If you would rather take control and manage your own security, you can unlock the bootloader at any time (at least on Google's own devices; YMMV with other vendors). Then you can install anything you want.

        • by Sark666 ( 756464 )

          Good to hear. But regarding root, if I have a device that has a root procedure, I'll then be excluded from future ota updates. Worse still, it tries to install and fails and have a non booting device. To get the update you have to disable root, which causes other issues.

          I like having a device with root access but they make it a pain in the ass to actually maintain the device if you still want official updates. This doesn't apply if you have a custom rom.

          • OTA upgrades always verify the hashes of the files they're upgrading before anything starts. If you've managed to root your locked device without modifying system files then it will upgrade fine (but usually leave you without root afterwards). If you have modified system files then the upgrade will fail that check before it upgrades anything, and you'll have unroot it & restore the system to stock (or re-flash the stock OS image) to get OTAs again. This rollback protection won't affect that.

          • by AmiMoJo ( 196126 ) <mojo&world3,net> on Thursday September 07, 2017 @06:48AM (#55152499) Homepage Journal

            Root users can manually download and install OTA updates. I do it all the time.

            Having said that, my primary phone is unrooted and the bootloader locked. The only reasons I had to root have all become moot now - granular permission control and ad blocking. Both are available without root, and the extra security provided by a locked bootloader and fully encrypted phone is extremely valuable.

    • Care to inform me why the fuck me, or anyone who has at least parts of his mental health remaining, would want to buy such a device?

      With several billions of smartphones in the world and several 10s of thousands of people at the most interested in custom ROMs or potentially downgrading firmware (which can't be done without voiding the warranty on any current smartphone anyway), ...

      care to inform me why anyone bar a rounding error of people would give a damn?

    • Maybe because nobody lied to them about not being able to install custom ROMs?

      The frigging summary is like, "It will prevent you from installing custom firmware by checking the roll-back index of official, signed firmware and refusing to boot official, signed firmware with a lower roll-back index". That doesn't say it will do anything special for unofficial firmware.

  • by Anonymous Coward

    Welp, looks like I'm never buying a new Android phone. This is going to be secure boot Google edition, with the bricked systems and all.

    • Welp, looks like I'm never buying a new Android phone...

      My phone company (AT&T) pushed an OS update onto my smartphone a couple weeks ago. I wonder if it enabled this "fix" (or if the next one will).

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You realise you can still turn this "secure boot" system off completely with fastboot oem unlock and install anything you like, just like always?

  • So (Score:5, Interesting)

    by fermion ( 181285 ) on Wednesday September 06, 2017 @06:39PM (#55150641) Homepage Journal
    Wasn't there just a security alert about phines being rolled back without the users knowledge on phones?

    On a PC if you are going to 'roll back' the best thing to do it start from a clean hard disk. The only reason to this is if there are problems, in which case the safetest thing to do is to wipe the machine.

    Does the Android phone have forced installation, if so then Antoine buying it is an idiot. If not, then why bring it up.

    And as always data is only lost if you don't back it up. Now, on upgrade data can also be migrated so you may not be able to use it one an old system, but again, if this is not a forced upgrade, why didnt you back up data.

    What is this, the day /. lets the children run the front page so they can whine about the fact the candy store charges momey?

    • by Anonymous Coward

      Does the Android phone have forced installation, if so then Antoine buying it is an idiot. If not, then why bring it up.

      I guess you've never used a smartphone, they all come the OS pre-installed, and all of the "secure" data already written, with no way to erase / change it. By definition, the installation is forced because attempting to install anything else will result either in a device booting to a firmware error message and subsequent firmware download mode or a paperweight.

      Some (few unless you buy a

  • Fuck Google.
    Fuck Google.
    Fuck Google.

  • I like this. (Score:5, Informative)

    by poptix ( 78287 ) on Wednesday September 06, 2017 @06:41PM (#55150647) Homepage

    I don't want *my* device stolen, downgraded, then rooted. I want it secure.

    I buy devices that can be OEM unlocked and rooted though, (currently the Pixel XL) in case I want a custom ROM or root.

    As long as I can buy a device capable of being OEM unlocked and/or rooted I don't see the problem. If you have an issue with rev XYZ of a ROM you can always install a derivative with a fix from XDA, or a straight up copy of a prior version with a different name/version, just not a *signed* copy of a prior version.

    tldr; All this does is prevent thieves from backtracking to an exploitable ROM. If you have authorized access you can still OEM unlock and do whatever you want.

    • by Anonymous Coward
      It also prevents legitimate users that might need to rollback due to a bug or feature that affects them badly in a new build from rolling back. Really this should be a completely optional check that is user settable as a rollback can be critical. I have had to rollback twice in recent years due to breaking changes and why is it unreasonable to want to be able to use the last known good build from the manufacturer as I don't want to root m phone or put on custom roms.
      • by Xenx ( 2211586 )
        Just as a point, if there is a setting to enable/disable the security check.. you make the security check easier to bypass.
      • It also prevents legitimate users that might need to rollback due to a bug or feature that affects them badly in a new build from rolling back. Really this should be a completely optional check that is user settable as a rollback can be critical. I have had to rollback twice in recent years due to breaking changes and why is it unreasonable to want to be able to use the last known good build from the manufacturer as I don't want to root m phone or put on custom roms.

        I hear ya, but hear me out... I doubt this is the reasoning. The "Why" is: Google isn't stupid... Are they? Assuming they aren't stupid and wanting to be a center point of attention for a massive security breach of "all users of Android Oreo" (or something of that ilk), this hits a brick wall. The logic, their logic, that is. If a new release comes out and several weeks later after most (meaning a lot) of the users have upgraded their devices, an exploit gets found where any device running the OS can

    • A persons device is the person who is administrator. If YOU aren't root on your own device then you aren't the owner. So now, if someone has to choose between traditional bad people trying to own your device with malware and make it work against you or googles malware making it work against you.

      • by poptix ( 78287 )

        I didn't see anything about this which prevents you from having root on your device. Can you provide more details?

  • by kaoshin ( 110328 ) on Wednesday September 06, 2017 @06:42PM (#55150651)
  • by dacut ( 243842 ) on Wednesday September 06, 2017 @06:45PM (#55150667)

    One potential flaw in this mechanism: I think a malware image can prevent rolling back to a known-good image by setting the rollback indexes to ridiculously high value, say 2147483647 (2**31-1).

    This diagram [googlesource.com] shows how the workflow is supposed to proceed. If Mallory gets her verification key onto your device (either by social engineering or another flaw), then her custom malware image can be booted by the device in locked mode. The user will get a warning about this being a custom OS (good!), but then the rollback index values in Mallory's image are written to the stored rollback index values (bad!). If I then attempt to go back to Oreo 8.0, it won't let me.

    A better mechanism would be to have a set of stored rollback index values per verification key, not a global set per device. Then I could roll back to the stock factory image from a Mallory's malware image.

    • by Kjella ( 173770 )

      Can't you use the A/B support for that, one for stock Android, one for custom OS? From the example they seem to have different rollback indexes.

    • One potential flaw in this mechanism: I think a malware image can prevent rolling back to a known-good image by setting the rollback indexes to ridiculously high value, say 2147483647 (2**31-1).

      This diagram [googlesource.com] shows how the workflow is supposed to proceed. If Mallory gets her verification key onto your device (either by social engineering or another flaw), then her custom malware image can be booted by the device in locked mode. The user will get a warning about this being a custom OS (good!), but then the rollback index values in Mallory's image are written to the stored rollback index values (bad!). If I then attempt to go back to Oreo 8.0, it won't let me.

      A better mechanism would be to have a set of stored rollback index values per verification key, not a global set per device. Then I could roll back to the stock factory image from a Mallory's malware image.

      Good info, thanks!

      I'm being humorous, but truthful. This feels like "Ad non-view punishment". If a ad-blocker is installed, you can get those nice "ads pay for our site; you can't view unless you see the ads" on a desktop OS. This seems like a "if you have a custom installed OS, you get to wait 10 seconds as a time-out".

      I know it's not the same, but it just seems to match. A user who installs a custom ROM on an unlocked phone should have to see the warning, at most, 1 time. To see it every time is a fo

  • "No advantages" (Score:5, Informative)

    by 93 Escort Wagon ( 326346 ) on Wednesday September 06, 2017 @06:47PM (#55150675)

    This has no advantages other than making it hard for users to install ROMs or to revert to a previous official ROM to restore missing functionality.

    No advantages - except enforcing security, whether you want it or not. And the story link provided even says Rollback Protection can be disabled.

    Now you may not want it - you may think you're smart enough to not need it - but let's not pretend there's no reason for this.

    The summary's proffered example of "no easy rollback from windows 10 to 7" is technically true, but overstating things quite a bit for dramatic purposes. More relevant analogs would be "no easy removal of Windows security patches you've previously applied" and "no easy rollback from your current Linux kernel to the previous one which contained a remote root exploit".

    • Security against who? I am the owner of my devices. Anything that prevents the owner from doing what they wish is the definition of malware whether it is coded by Russians or by Google.

      • by Xenx ( 2211586 )
        If it was an upgrade forced on an existing device, you have a point. For any device that is sold with the feature, you're knowingly purchasing a device that performs this check. That means you don't care enough to check, don't mind it, or want the feature. Regardless of which one, it isn't malware at that point.
        • For any device that is sold with the feature, you're knowingly purchasing a device that performs this check. That means you don't care enough to check, don't mind it, or want the feature.

          Or you have checked, the result being that all devices available to the public include the feature, and you begrudgingly accept the feature. This, for example, is true of the "Windows 10 preinstalled, no other OSes warranted" feature of every non-Apple laptop PC shown in a U.S. retail chain's showrooms. Technically, one might argue that this falls under "don't mind it" but I felt that this sort of Hobson's choice was worth mentoining.

          • by Xenx ( 2211586 )
            There are a number of options available, The choice isn't this or nothing. The choice is this, that, the other, or nothing. People aren't guaranteed there will be a phone that meets all of their wants. The best you can do is decide which are most important and choose one that meets those..
            • by tepples ( 727027 )

              The choice is this, that, the other, or nothing.

              Where this, that, and the other all have the same anti-feature.

              • by Xenx ( 2211586 )
                No need to lie to support your side of the argument. There are options w/o this feature.
                • by tepples ( 727027 )

                  I asked about Linux laptops in a Staples store, but the sales associate told me all laptops came with Windows. I asked about Linux laptops in a Best Buy store, but the sales associate told me all laptops came with Windows except the MacBooks. So among non-Apple laptops in U.S. retail chains, which are the "options w/o this feature" of Windows?

                  • by Xenx ( 2211586 )
                    You incorrectly(partially) compared the situation to Windows. My counterpoint was in regards to the actual topic, Android, and not Windows. However, there are options for laptops without Windows. They are limited, and generally found online. You'll also find that you're not likely to save much money getting one without Windows.
                    • by tepples ( 727027 )

                      My counterpoint was in regards to the actual topic, Android

                      What new, non-Apple replacement for an Android device can I find in stores? An Apple device requires a Mac, such as a $499 Mac mini, in order to load non-Store apps.

                      However, there are options for laptops without Windows. They are limited, and generally found online. You'll also find that you're not likely to save much money getting one without Windows.

                      Saving money is secondary to saving time working around things like broken audio, broken Wi-Fi, broken Bluetooth, broken backlight brightness control, broken suspend, a laptop keyboard that doesn't agree with my hands because I never had the chance to try it first, a laptop screen that doesn't agree with my eyes because I never had the chance to

      • If I physically steal your phone, an unlocked bootloader lets me replace your firmware with a custom, insecure firmware that bypasses your lock screen and everything.

        If you lock your bootloader, I can use an exploit to hack into your phone and take control.

        If you upgrade your phone's official OS image, I can load an earlier version of the OS image and then hack into it anyway.

        This anti-rollback mechanism stops that last one. Remember: A brick costs $0.89 at Home Depot. I can probably get most people'

      • You're making the incorrect assumption that security patches only prevent you from doing certain things with your device. This is far from the case. By large, security patches are designed to prevent exploitation of your device by other actors. If, for example, you use your phone for banking or payments, you should be extremely motivated to ensure that you have minimized the possibility of anybody hijacking your device and gaining access to your money as a result.
    • So your more relevant analog is "no easy removal of Windows security patches you've previously applied", and somehow you feel things are overstated? Inability to roll back Windows security patches would be outright catastrophic given the frequency at which they break something.
    • except enforcing security, whether you want it or not.

      If "security" is being enforced against my wishes, it is an attack.

  • Baaah Baaaaah. (Score:5, Informative)

    by CrashNBrn ( 1143981 ) on Wednesday September 06, 2017 @07:32PM (#55150877)

    What ClickBait, This has nothing to do with customROMs.

    "RollBack Protection", prevents the device from booting from an earlier major version of Android. So as to prevent would-be thieves from easily wiping the device and obviating Android Oreo's security mechanisms.

    Android 8.0 Oreo Review [arstechnica.com]

    No more OS downgrades—If an attacker steals your phone, Android has several security features in place that will make it more difficult to access your device. It doesn't help matters much if the attacker can just downgrade the operating system to a version that didn't have those protections in place, so with that in mind Android 8.0 introduces "rollback protection" into the Verified Boot process. With rollback protection, Verified Boot will no longer start up an OS that it detects has been downgraded to an earlier version.

    Developers (or Android-obsessed journalists) that need to downgrade their device to an older version for testing or checking something can disable this feature, which will trigger the usual slew of boot-up warning messages. Google also says it has "hardened the bootloader unlocking process," which should make it harder for bugs or malicious apps to unlock the bootloader without user approval.

    • by mjwx ( 966435 )

      What ClickBait, This has nothing to do with customROMs.

      Yes, but the problem is that the headline "OMG! New Iphone" just isn't bringing in the clicks like they used to, so running a scare non-story about Android is the best they can do. It seems the announcement of a new Iphone now brings in as much fanfare as Toyota, announcing a new Camry.

      The 2 minutes Android hate is a regular occurrence on /. now.

  • You get to choose. Either get an easily unlockable device like Pixel or OnePlus and install whatever ROM you want. Fine, 10 second boot delay, but how often do you boot a phone? Or, you just don't worry about it and just be safe. Then you don't want someone to downgrade your phone to an OS version that can be targeted with various exploits. If you change your mind, you can still unlock the bootloader after verifying some information with your vendor or wireless provider to make sure it's really you. What do

  • As it rejects an image if its "rollback index" is inferior than the one in "tamper evident storage," any attempts to install a previous version of the official, signed ROM will make the device unbootable. Much like iOS (without the rollback grace period) or the extinct Lumias.

    That's not how the iOS downgrade grace period works at all. The installation blobs of iOS are code signed with expiring keys and the expiry dates are (generally) set to 2 weeks after the next iOS release.

    This means you can at least trick iTunes/iOS into downgrading after the expiry period so long as you've kept the downloaded blobs and use tools like Prometheus... but Google's basically shut the door on its Android users.

  • this might seem like a good idea at first

    No. No, it doesn't.

I haven't lost my mind -- it's backed up on tape somewhere.

Working...