Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Oreo's Rollback Protection Will Block OS Downgrades (androidpolice.com)

Posted by BeauHD on from the feature-spotlight dept.

jbernardo writes: Google is using the boiling frog method to exclude power users and custom ROMs from android. A new feature in Android 8.0 Oreo, called "Rollback Protection" and included in the "Verified Boot" changes, will prevent a device from booting should it be rolled back to an earlier firmware. The detailed information is here. As it rejects an image if its "rollback index" is inferior than the one in "tamper evident storage," any attempts to install a previous version of the official, signed ROM will make the device unbootable. Much like iOS (without the rollback grace period) or the extinct Lumias. It is explained in the recommended boot workflow and notes below, together with some other "smart" ideas.

Now, this might seem like a good idea at first, but let's just just imagine this on a PC. It would mean no easy rollback from windows 10 to 7 after a forced installation, and doing that or installing linux would mean a unreasonably complex bootloader unlocking, with all your data wiped. Add safetynet to the mix, and you would also be blocked from watching Netflix or accessing your banking sites if you dared to install linux or rollback windows. To add insult to injury, unlocked devices will stop booting for at least 10 seconds to show some paternalist message on how unlocking is bad for your health: "If the device has a screen and buttons (for example if it's a phone) the warning is to be shown for at least 10 seconds before the boot process continues." Now, and knowing that most if not all android bootloaders have vulnerabilities/backdoors, how can this be defended, even with the "security/think of the children" approach? This has no advantages other than making it hard for users to install ROMs or to revert to a previous official ROM to restore missing functionality.

4 of 119 comments (clear)

  1. So by fermion · · Score: 4, Interesting
    Wasn't there just a security alert about phines being rolled back without the users knowledge on phones?

    On a PC if you are going to 'roll back' the best thing to do it start from a clean hard disk. The only reason to this is if there are problems, in which case the safetest thing to do is to wipe the machine.

    Does the Android phone have forced installation, if so then Antoine buying it is an idiot. If not, then why bring it up.

    And as always data is only lost if you don't back it up. Now, on upgrade data can also be migrated so you may not be able to use it one an old system, but again, if this is not a forced upgrade, why didnt you back up data.

    What is this, the day /. lets the children run the front page so they can whine about the fact the candy store charges momey?

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  2. Can malware use this to prevent patching? by dacut · · Score: 4, Interesting

    One potential flaw in this mechanism: I think a malware image can prevent rolling back to a known-good image by setting the rollback indexes to ridiculously high value, say 2147483647 (2**31-1).

    This diagram shows how the workflow is supposed to proceed. If Mallory gets her verification key onto your device (either by social engineering or another flaw), then her custom malware image can be booted by the device in locked mode. The user will get a warning about this being a custom OS (good!), but then the rollback index values in Mallory's image are written to the stored rollback index values (bad!). If I then attempt to go back to Oreo 8.0, it won't let me.

    A better mechanism would be to have a set of stored rollback index values per verification key, not a global set per device. Then I could roll back to the stock factory image from a Mallory's malware image.

  3. Reset-persistent malware; Google Play Movies by tepples · · Score: 3, Interesting

    If you're buying an Android device used, you want to know whether the previous owner hasn't installed malware that persists across an apparent factory reset. Popping up a "This device runs a custom operating system" notice while the bootloader is loading the kernel is an unobtrusive way of doing this.

    If you're buying an Android device, and you watch movies, you want a wide selection of movies. Google can do one of two things. It can keep its license from major movie and television studios to offer their works through Google Play by continuing to improve the digital restrictions management that deters copying a rented stream. Or it can lose its license and pull the works from Google Play, and end users will end up having to buy an iPod touch, iPhone, or iPad in order to continue to watch notable movies and television series once the licensed apps become iOS-exclusive.

  4. DRM requirement for 4K streaming by tepples · · Score: 4, Interesting

    Or Google can ask the providers why Windows gets a pass.

    Probably because it's easier to upgrade a random PC to the latest build of Windows 10 than to upgrade a random phone to the latest build of Android. This allows app developers to exclusively target a new feature update (such as Anniversary, Creators, or Fall Creators) where known holes in Protected Media Path and other digital restrictions management technologies in Windows 10 have been plugged.

    And no, Windows doesn't necessarily get a pass. No app (legally) plays UHD Blu-ray movies on Windows on a PC with a CPU older than Kaby Lake or an operating system other than Windows 10. You may also need to replace your motherboard with one that supports Intel SGX and your video card with one that supports AACS 2.0 and HDCP 2.2. (Source) Movie studios have put similar requirements on 4K streaming. (Source)