There's nothing to mitigate in the first place. It has nothing to do with GrapheneOS or smartphones. Every Windows laptop vendor has bundled sketchy bloatware in the past and many still do in the present. Security research targets are encouraged, feel free to find something, anything, in these devices that you think are off. Use a non-Motorola device if you want to choose based on pure vibes or you don't like them for any other reason. If you're an OEM, contact us and work with us.
If you really have to get to the details then Superfish is not installed by the firmware but was bundled operating system software and was trivially discovered. Obviously, there's no such thing that will happen here or GrapheneOS, it would be caught by our (very) vigilant users and I know I put the rep on the line saying that.
>now these assholes control the bootloader, the baseband
The bootloader is a standard littlekernel-based Android bootloader. The baseband is Qualcomm's, part of their SoC. Our device requirements on the site state explicitly radios must be isolated and that sensitive data cannot be accessed at the bootloader (working verified boot, zeroing memory left over from the OS, etc.), we are very conscious about that and received bounties for discovering and patching security deficiencies in bootloaders targeting Pixels that were exploited in the wild.
We'll be having involvement in the driver and firmware side of things. Working to improve their security posture and harden their stock OS and firmware is part of the partnership.
island14d ago
