I am still thinking about switching to custom rom (LineageOS as it could be installed with no microG), but it will leave my bootloader unlocked. Question is what are the biggest risks of unblocked bootler? Only if someone takes my phone or remote dangers also occur?
Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services
The dangers would be more on the physical side than virtual side. /e/Foundation tells you that it’s focus is on privacy, which is the virtual side of things. On that they succeed. Keep in mind that /e/OS can be setup to not enable microg at all. That is shown during the setup process.
However, even a locked bootloader is not a gurantee either
https://www.bleepingcomputer.com/news/security/vulnerabilities-discovered-in-mobile-bootloaders-of-major-vendors/
Ah, the age old question about if it’s safe to have a phone with unlocked bootloader.
Many people have concerns over their unlocked bootloaders. And they have their reasons. There are some attacks (like the Evil Maid attack) where if the attacker has physical access to your device with unlocked bootloader, they can actually install malicious software into the phone.
But I don’t think you should be worried to much about this. Even if your phone gets lost or stolen, what are the chances of some random pickpocketing thief to actually know their stuff, if they come across a phone with unlocked bootloader? What are the chances of an average thief being knowledgeable enough about phones, about their device trees, about how the phone boots up, how the software is installed and how the phone’s recovery works in order to install malicious software? The chances are very comical to say the least. Your usual thief will just want to get rid of the phone as quickly as possible while making some profit. So they will just want to sell the phone on sites like Craigslist or similar and be done with it.
Unless you as an individual are targeted by state actors or some other parties (political parties, lobby groups etc) consistently, you don’t have to worry about unlocked bootloader and having a custom OS. For most people with custom OS, having an encrypted phone with a good PIN or password is just enough.
What I am saying. When it comes to security and privacy, you should always consider your threat model / security profile. Are you someone like Jon Snowden, working in a government and whistleblowing top secret information? Then having a phone with unlocked bootloader is a very real risk you’re taking and you should do everything to minimize the damage. Are you an activist fighting for a cause? Then chances are you’re most likely being targeted by the police and/or other state actors and having an unlocked bootloader poses some threat to you and your data. Are you an average Joe or Dane working, paying taxes etc? But the only threat model you have is "I don’t want big corporations like Google or Microsoft to sell my data? Having a phone with unlocked bootloader is perfectly fine for you. You should always consider individual risks and threats which might happen to you.
Do the advantages of custom OS outweigh the potential risks in your individual case cosidering individual risks? If yes, then go for custom ROM. If not, then stay with the stock OS installed on the phone.
However, if you think about relocking the bootloader with custom ROM, beware that this is very risky as it might brick your phone and make it unusable. Although if you choose to go on this path, there are several guides on XDA forums using selfsigned packages to relock the bootloader.
Concerning /e/OS … [LIST] Devices where bootloader can be relocked
I am a regular user, who wants to take care of own privacy (here custom roms seem to be the most reasonable solution) but at the same time I am worried about security (e.g. locked bootloader seems to give it). My current phone is “sake” so I cannot relock the bootloader. Currently I am trying to understand better risks provided by unlocked bootloader to make more conscious decision.
Ok, random pickpocket rather does not know too much about phones, but what about risks of hacking the phone remotely? Nowadays we stay connected to the Internet practically whole day plus some maybe 24/7. Have been some attacks done remotely thanks to the unclocked bootloader?
Verified boot is only enforcing when the bootloader is locked and can provide some resistance against persistence of remote attacks.
This topic was automatically closed after 30 days. New replies are no longer allowed.