search

TeamWin / Team-Win-Recovery-Project

Core recovery files for the Team Win Recovery Project (T.W.R.P) - this is not up to date, please see https://github.com/TeamWin/android_bootable_recovery/
http://twrp.me
1.96k stars 741 forks source link

Why TWRP must have password protection #922

Closed derlaft closed 2 years ago

derlaft commented 7 years ago

This is a reply for https://twrp.me/faq/securetwrp.html article.

TL;DR: because of chain of trust

If you don't want someone getting your personal data, use Android's device encryption and a good lockscreen.

This does not work if the recovery is not protected somehow. Anyone can silently add a keylogger to /system partition and easily decrypt all the /data files.

Let's see how the vanilla data protection works:

  1. Bootloader loads kernel.
  2. When bootloader is locked, kernel can be replaced only with a signed one. No keylogger can be injected.
  3. /system is also signed
  4. A booted system won't allow you to do anything until you submit a correct PIN.

Results: firmware can only be modified by a vendor, so nobody else can decrypt /data using a keylogger attack.

How everything could work if TWRP had a password protection:

  1. Flash password-locked TWRP
  2. Re-lock a bootloader. So, password can be removed only by a. Wiping all the data by unlocking the bootloader again OR b. TWRP if you know the password
  3. Nobody can change kernel and a /system partition without knowing the password or wiping the /data
  4. You can trust the system you boot

Results: you have both a full control of your firmware and a security profit from a locked bootloader.

nailyk-fr commented 7 years ago

When bootloader is locked you can't replace kernels, ok. But when bootloader is unlocked you can replace kernels from fastboot or any other flashing methods. Adding twrp password is only meaningful when usb port is broken and kernel can only be flash from the device.

After writing I saw the 'relock' step. Except hammerhead (maybe other nexus devices), relocking with not signed kernel result in brick. (some LG and all Xperia)

derlaft commented 7 years ago

When bootloader is locked you can't replace kernels, ok.

Just tried -- I can. Not from fastboot, but from TWRP. Maybe this varies on device (I guess HTC with their S-ON are not eglible for this)

derlaft commented 7 years ago

After writing I saw the 'relock' step. Except hammerhead (maybe other nexus devices), relocking with not signed kernel result in brick. (some LG and all Xperia)

OK, now I see. Everything is pretty sad then

andrew-phi commented 5 years ago

Anyway password for TWRP still IS a good feature because in 99% people don't carry laptops aroud to flash bad fw to your phone AND they need a customized images for your phone (there are none in my personal case). But any cool-hax0r kid is so damn inclined to poke around with rebooting a phone in recovery mode just to show how beg l33t haxx0r he is and do things that you, as the owner, definitely DO NOT want him to do! THIS IS A MUST HAVE!

CaptainThrowback commented 5 years ago

Just encrypt with password on boot in Android. Problem solved.

CaptainThrowback commented 5 years ago

This isn't an actual TWRP issue. The only solution is what I said. TWRP won't be getting password protection, so I wanted to make sure everyone understands that's the best solution for now. Between dm-verity and forced encryption, this is a non-issue to me and apparently the TWRP developers too. I think there are forks of TWRP that have added this feature; maybe the OP can try one of them.

Sarets commented 3 years ago

I'm totally agree with @derlaft

The main problem that mostly devices can't lock bootloader after custom recovery. But we can find workaround how to protect device in this case. For example if your phone restarted not by you:

Let's imagine if TWRP has password protection - in this case you can try to type TWRP password(different to android password). If password not accepted - it means somebody changed recovery via fastboot.

If password fine then you can login to TWRP and open terminal. You can check sha256sum for recovery, boot partitions. If hash sum doesn't match with previous times it's a reason for reinstall whole system from your previos clear back-up's.

De-facto everybody can restart my android in TWRP recovery right now and get root access via TWRP Terminal. Then change system/boot files which can compromise my next system start.

So TWRP password feature it is not solution for protect user data. But it's a way how to protect unlocked bootloader against to install rootkit's, keyloggers or using other vulnerabilities via fastboot or adb sideload.

derlaft commented 2 years ago

It seems that nowadays it should be possible to relock bootloader with a custom firmware: https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-with-a-pre-built-custom-rom-such-as-lineageos-official.4260825/

While TWRP functionality might be partially limited in this mode, it might still be used (to flash signed images and to produce backups).

Just encrypt with password on boot in Android. Problem solved.

But pretty much yes, even in locked mode TWRP won't be able to access user data without a password and flash unsigned firmware. Therefore there's not really a reason to protect it with a password.