
Pixel Security - praving5
https://security.googleblog.com/2016/11/pixel-security-better-faster-stronger.html
======
jc4p
Just FYI in case anyone is considering buying a Pixel: I strongly urge you not
to. [http://kasrarahjerdi.com/2016/11/dont-buy-anything-made-
by-g...](http://kasrarahjerdi.com/2016/11/dont-buy-anything-made-by-google/)

They have no Google provided support, if you drop the phone and break it your
only option (if you didn't buy the third-party warranty upsell) is to take it
to a repair shop. I called the ones near me, none had seen or touched the
device before.

Don't spend $800 on a phone that you can't send back to the manufacturer to
repair.

Edit: I originally said "they have no warranty" and people seem to have
understood that as "they don't provide free repairs" \-- what I'm trying to
say is that this phone is supposedly a competitor to Apple, but if you break
it you can't walk to the Apple Store and ask them how much it'd be for a
repair. You can't send it in the mail to them either. You have to go to an
authorized third-party repair shop. That does not sound like first-class
flagship $800 product support to me.

~~~
joncalhoun
Have you ever tried to get something Apple branded repaired when it is out of
warranty?

The repairs tend to basically cost as much as it would to buy the same item
refurbished regardless of the issue.

SSD died on your MacBook air selling for $500 on eBay? That will be a $450
repair sir.

Sure, they may have manuals and everything else at the Apple store, but there
is very clearly a reason why companies like iCracked and iFixIt exist, and it
isn't because Apple offers such a wonderful and affordable repair shop.

It would be great if Google offered a way to get the phone repaired through
them, but using Apple as an example of how it should be is a bit insane to me.

~~~
interpol_p
So this happened to me. My 2012 retina MacBook Pro battery was dying. Which
makes sense, I used it every day for over four years.

I figured I could take it to Apple for a battery replacement. They said they
would do it — for $900. They told me it involved replacing the entire bottom
half of the computer as the battery was glued in.

So I called their support line and complained that the laptop was perfectly
fine and it shouldn't cost that much to replace a battery. They ended up
replacing it for free, as well as the screen (because they identified that the
anti-reflective coating was starting to wear). So while the policy was
ridiculous, the actual outcome was very positive.

~~~
lloeki
> $900. They told me it involved replacing the entire bottom half of the
> computer as the battery was glued in.

WTF? This is nonsense.

Apple prices for battery repairs are clearly outlined on their web site[0].
This has always been what I (or relatives/friends/coworkers) paid for
France[1] when I had to change a battery.

[0]: [https://support.apple.com/mac-
notebooks/repair/service/prici...](https://support.apple.com/mac-
notebooks/repair/service/pricing)

[1]: [https://support.apple.com/fr-fr/mac-
notebooks/repair/service...](https://support.apple.com/fr-fr/mac-
notebooks/repair/service/pricing)

~~~
interpol_p
That is the _exact_ page I used to argue my case with Apple on the phone. I
said it was misleading that the price given to me at the Apple store was so
much higher than what was listed on their website.

They told me that those prices are the _service_ pricing, but do not include
parts. And because the entire lower-half of the laptop needed to be changed in
the rMBP model, the total cost would come to about $900 AUD.

The actual item listed on the repair invoice is "Top Case Assembly with
Battery" @ $562.73 and the "Hardware Repair Labor" charge is listed at $289
AUD.

Did you ever have friends or relatives change the battery in a retina MacBook
Pro? Apple cannot remove the battery because it is glued into the lower case
assembly. And so when I got my machine back from Apple the trackpad, keyboard,
and lower aluminium chassis was brand new (however the bottom plate, logic
board, and internals were the same).

------
tdkl
Google security is so strong, they'll even lock you out of your own account
when changing cities, with no chance to get it reinstated :

[https://www.reddit.com/r/Android/comments/5dif8j/psa_google_...](https://www.reddit.com/r/Android/comments/5dif8j/psa_google_can_lock_your_account_forcing_you_to/)

~~~
davemel37
[http://www.slashgear.com/pixel-phone-flipping-scheme-
googles...](http://www.slashgear.com/pixel-phone-flipping-scheme-googles-
statement-on-a-ban-hammer-17464528/)

Looks like Google is reinstating accounts.

~~~
odbol_
Good, now whenever I need tech support, all I need to do is get my gripes
published in a global news site and trend on Hacker News so I can get Google
to respond to me...

~~~
chrisper
And this is exactly why I am currently migrating to fastmail...

~~~
dx034
Should be enough to use Gmail with your own domain (and regular backups)? In
that case you can still use all Google services but have an easy migration in
the (still unlikely) case they lock you out

~~~
chrisper
Yeah, I just migrated all my mail over night and connected my gmail account
with my fastmail account. Works great!

------
Sir_Cmpwn
I would really love to see Google tackle fixing the security problems
presented by the radio chip. A closed source esoteric firmware full of
vulnerabilities that has DMA on your primary CPU and is remotely exploitable
by state and private actors? Not to mention that it's an entry point into a
device that's always on your person, has all of your contacts, emails, text
messages, and phone calls, and has a GPS module in it. The radio is a _huge_
problem and dramatically outweighs any other security concerns on a phone imo.

~~~
pawadu
I have been told that the baseband stack is so large and complicated (and of
course buggy) that has to run in a virtual environment.

------
zx2c4
"We then modified the inline encryption block driver to pass this to the
hardware. As with ext4 encryption, keys are managed by the Linux keyring. To
see our implementation, take a look at the source code for the Pixel kernel."

It doesn't sound like they got these changes into mainline. They link here to
their source: [https://android.googlesource.com/kernel/msm/+/android-msm-
ma...](https://android.googlesource.com/kernel/msm/+/android-msm-
marlin-3.18-nougat-dr1/fs/ext4/crypto_key.c)

From that file:

    
    
        /* TODO(mhalcrow): Just for proof-of-concept */
    

WHOOPS!

------
wheelerwj
Isn't the pixel the phone that was just pwned inside 60 seconds by security
researchers?

And doesn't google have a terrible track record of releasing data to federal
agencies?

So, aside from purchasing a phone that is built by data-mining, internet
advertising giant, google can't even begin to make the claim that they value
user security.

~~~
staticassertion
"pwned in 60 seconds" is a hugely misleading statement. Every time there's a
hacking competition you see "Chrome, Firefox, IE fall in seconds" \- ignoring
the weeks or months that it takes to find the vulnerabilities and develop
exploits for them.

~~~
ocdtrekkie
It's not misleading, the issue is that your actual phone could be actually
compromised in 60 seconds time, not some giant period of guessing and trying
or cracking a complicated crypto scheme. The research time isn't material to
the severity of the threat at the time of attack.

~~~
staticassertion
The vast majority of exploits of that nature take less than 60 seconds. It is
nothing at all interesting or special or rare that it took < 60 seconds. Just
clickbait, like every year when pwn2own rolls around.

------
devsquid
Kinda neat they link directly to some source code in a blog post.

------
amluto
I trust this as far as I can throw it. Trustzone is at best as secure as the
Trustzone secure world kernel, Qualcomm supplies that code (even in the Pixel
AFAIK), and the Qualcomm secure world kernel is notoriously poorly written.

~~~
swiley
It would be great if someone built some non-qualcomm phones.

------
beefsack
Countries with stronger consumer protection laws should have much less of an
issue with warranties. My father dropped his Nexus 5 about 11 months after he
bought it and Google provided a replacement really promptly.

------
x0ner
While all devices have security issues, not too comforted by this:

[http://thehackernews.com/2016/11/google-pixel-phone-
hacked.h...](http://thehackernews.com/2016/11/google-pixel-phone-hacked.html)

~~~
pawadu
Wait, so you mean security issues were found in a security conference where
google pays top dollar to researchers who find security issues so Google can
fix them ASAP?

Why is that a bad thing?

------
mianos
I have not seen so many gotos in many many years. I guess it's the programming
model in this case. I am sure this bit of code is going to be audited quite
closely.

~~~
palebluedot
The use of goto in C for error and exception handling is good practice. It
keeps the code easy to read, and also provides common code for error and/or
exit handling. You'll see this paradigm used a lot in large open source C
projects, such as the Linux kernel and QEMU.

In my experience, a lot of closed source C projects ban goto outright, in
(IMO) an overly dogmatic adherence to the idea that all goto use is spaghetti
code and therefore bad.

~~~
mianos
I have used them myself for error handling many times many years ago. When you
don't have exceptions and longjmp scares the shit out of you, gotos for error
handling are fine by me too. I agree, dogmatic banning of them precludes the
useful case of error handling but it is a slippery slope that they seem to be
already sliding with got_key:.

------
mtgx
Is this meant to be a sort of _generic_ response to this issue? (which they
still don't seem to be addressing here)

[https://plus.google.com/u/0/+DeesTroy/posts/R7V3knn3f1s](https://plus.google.com/u/0/+DeesTroy/posts/R7V3knn3f1s)

Or perhaps to this?

[http://www.theregister.co.uk/2016/11/11/google_pixel_pwned_i...](http://www.theregister.co.uk/2016/11/11/google_pixel_pwned_in_60_seconds/)

Still waiting on Google to at least match, if not surpass, Apple's long-term
support in regards to updates (which is about twice as much what Google offers
right now, even though the Pixel has identical prices to the iPhones, at every
level).

------
jwtadvice
Pixel/Google does not motivate a threat model under which to evaluate or
understand their design and marketing promises, but we can take a hint from
"protects your data if your phone falls into someone else's hands." \- Namely
thefts of opportunity.

Unlike other phone manufacturers, Google does not promise potential customers
that your data will be protected from Google, it's partners and from law
enforcement and mass surveillance programmes.

Therein this product doesn't provide a stronger security posture that
competitors - and furthermore it's threat model and security properties do not
meet what are in my opinion minimal reasonable requirements.

~~~
sigmar
>Unlike other phone manufacturers, Google does not promise potential customers
that your data will be protected from Google, it's partners and from law
enforcement and mass surveillance programmes.

Are you referring to Apple? Because they don't promise that either.

~~~
jwtadvice
I used the term 'motivate' specifically because of the PR language intending
for customers to evaluate the Apple product as something that could be used by
those who need to use their phone for private and/or sensitive reasons.

Apple of course backdoors their phones for government surveillance access. But
they do motivate a threat model that includes government surveillance.

I know parsing my comment in this way may seem difficult, but I used the
terminology I did on purpose.

There are no illusions that Apple achieved the security properties that it has
motivated.

Google Pixel does not even pretend to address the security concerns of
journalists, politically active citizens, IT professionals, or individuals
contacting attorneys.

~~~
willstrafach
> Apple of course backdoors their phones for government surveillance access.

Nice job slipping a completely unfounded lie into your response.

Starting with iOS 10, you can actually just mount the root filesystem disk
image from iOS restore images. You are able to reverse engineer and audit any
application or daemon that the OS runs. You can use open source tools (Such as
idevicerestore) to perform an OS restore on your device, and point it directly
at the filesystem disk image that you just audited the binaries of. That way
you can be sure of what is being flashed onto your device if you have any
doubts that the OS you just audited is the one going onto your device. No
"blackbox" at all in this process.

I am looking forward to hearing any form of evidence regarding your claim.

~~~
bitmapbrother
How can you say you're able to audit any application or daemon without viewing
the actual source code? Case in point - if the sslKeyExchange.c code had not
been published the "goto fail" bug would likely still be in the wild.

~~~
comex
Reverse engineering tools like IDA can be used to audit closed source code.
However, this takes significantly longer than reading source code, and it's
not exactly feasible to audit the entire operating system for something
(hypothetically) intentionally hidden.

------
RRRA
meanwhile we still have to deal with a SIM and the baseband is a whole other
clusterfuck entirely...

Can the users actually get the keys to their own stuff?

------
sundvor
And as a bonus, if you onsell it, we'll wipe your Google account without
warning.

~~~
dx034
No, we'll block your account if you never wanted to own the phone, but ordered
it directly to a reseller to make money. We block the account because it's a
violation of the ToS you agreed to.

However, we reinstate the account after a few days. [1]

[1] [http://www.slashgear.com/pixel-phone-flipping-scheme-
googles...](http://www.slashgear.com/pixel-phone-flipping-scheme-googles-
statement-on-a-ban-hammer-17464528/)

------
scotchio
Sorry - not post related:

#2 spot on HN, 2 comments, submitted 28 minutes ago.

Is this normal? Never seen that happen on HN before. Just curious

~~~
et-al
^ commenter shouldn't be downvoted for this.

~~~
Retra
For making an irrelevant, overly paranoid comment?

~~~
et-al
You don't find it strange at all that a post with only 2 points in the past 28
minutes shot up to the front page on a weekday afternoon?

My only answer is that what's displayed doesn't necessarily match what's used
for the ranking--that there may be some sort of lag. But yes, it could be
possible too that somehow one can bump up their posts through other means.

The original commenter even mentioned this as an aside. If another reader
didn't like it, they could've collapsed it.

~~~
Retra
I don't find it _relevant_. Given that the front page of HN doesn't 'directly'
cater to what I want to read, it may as well just be random for all the
difference it makes.

------
akerro
Does android still backup WiFi passwords in plaintext?

------
Veratyr
Encryption is all well and good but I feel like Google's handling of root
causes a lot of issues.

There are a lot of pretty basic things (like ad blocking or monitoring battery
usage) that require root, which severely impacts the security of the device.

EDIT: Okay, I stand corrected on ad blocking. Access to detailed battery stats
however is locked behind the BATTERY_STATS permission which isn't accessible
to anything except for system apps. That aside, there are other basic things
like backup that also require root.

~~~
Klathmon
Not true for either of them.

Apps can use the VPN API to do ad blocking without root, and there are tons of
ways to do more battery monitoring without root, like the built in battery
monitoring...

~~~
Veratyr
> there are tons of ways to do more battery monitoring without root

Sorry, I mean more than the built in monitor, which is largely useless.

There is no API through which I can enumerate wakelocks, CPU usage, GPS usage,
mobile radio traffic and activity, wifi radio traffic and activity or screen
on/off time without system level permissions (i.e. built into the ROM).
Therefore, there's no way for these things to be exposed to me as a user.

There used to be a permission called BATTERY_STATS but it was removed years
ago and Google has been utterly unreceptive to reinstating it:
[https://code.google.com/p/android/issues/detail?id=61975](https://code.google.com/p/android/issues/detail?id=61975)

And of course there's a bunch of apps on my device (Pixel) that have that
permission such as Qualcomm's CNE app, Play Services (com.android.vending),
another Qualcomm package (com.qualcomm.qti.auth.secureextauthservice) and a
bunch of other Qualcomm packages.

------
jwtadvice
Given recent news about mass surveillance, it's important to note that Pixel's
security model does not and can not seek to protect your data for use for
private messaging, conversation with attorneys, for journalists, or to
organize for political reasons.

If you are interested in a communications device that can be used for any of
these things, Pixel's security model will not cover you and you will need to
look for an alternative product.

~~~
Klathmon
Why are you posting a very similar comment multiple times?

~~~
jwtadvice
The two comments have significantly different content.

For those curious here is the other comment in question:
[https://news.ycombinator.com/item?id=12982502](https://news.ycombinator.com/item?id=12982502)

