Is there any benefit to disabling the option “OEM unlocking” again?

,

As is well-known and documented, before the bootloader can be unlocked on FP3/FP4, it’s necessary to enable a setting called “OEM unlocking” in the developer options. Considering that there are potential risks of bricking the phone when having this option disabled (see e.g. cases on this forum), is there any benefit (e.g. security) in doing so? Note that I’m not talking about re-locking the bootloader itself, but only about the option in the developer settings that requires entering a code obtained from this page:

Since unlocking the bootloader already requires wiping the phone, I don’t see any additional security benefit in having this option disabled. Further, the code can be obtained solely from information that is present and trivially accessible on the phone itself (IMEI and serial number). So it seems more like a protection against users accidentally messing with things than an actual security measure. But maybe I’m missing something?

I’d also be interested to learn about any differences between Fairphone 3 and Fairphone 4 with respect to this question.

1 Like

The difference is that it’s impossible to do a factory reset while having OEM Unlocking disabled. This means that if your phone is protected by a good password (which I strongly recommend), it’s impossible to get the code to unlock the bootloader and reset the phone. This implies that someone stealing your phone should not even be able to resell it as there would be no way to reset it, and it would be protected by your password.

In case of bricking, there is a way to reset the FP3 to its original state with EDL (which means anybody should be able to do it regardless of if OEM unlocking is enabled or not). The difference arises with the fact there is currently no recovery possible of a bricked FP4. Which means disabling does it add a layer of security, but also a layer of risk in case something goes wrong.

I would probably unlock the bootloader and keep it unlocked because of my tinkering with the phone and because I currently have a FP2 on which I can’t lock the bootloader anyway, so my opinion is not going to help you much :slight_smile:

2 Likes

I recommend to lock the bootloader after installing FPOS or a custom ROM which supports verified boot.
But I also recommend to let the option “Enable OEM unlocking” active.
Otherwise you have noch change, in case of problems (ROM doesn’t start), to boot in bootloader and unlock it for any troubleshooting, installing, factory reset, etc…
To let this option enabled, I see no security risk…

Alright, that’s an interesting way of looking at it. Although in the grand scheme of things, probably won’t make practical a difference to yourself if your phone is stolen (you still won’t get it back, nor will you have access to your data if it’s not backed up).

I don’t see how it adds any security, though? As we both mentioned before, unlocking the bootloader causes a factory reset, so being able to do this doesn’t allow any kind of access to data or compromise of the operating system.

Sure that’s true. But the sole fact it’s harder on most phones now to wipe data perhaps makes phone thefts rarer.

Good point, I included thiefs not being able to wipe data in security, but it doesn’t change much for the user itself.

Edit: typo

2 Likes

I do not own a FP3, so I cannot talk about the differences, but security wise there are a few things to consider:

  • Locked bootloader and flag not set (i.e. OEM unlocking disabled)
    The security of your data and everything else depends on the quality of your password. A potential attacker does not have access to your data and if they were to factory reset your device they would not be able to use it, since factory reset protection (FRP) is in place. This requires the input of the credentials of the last google account connected to this device for it to be usable, your data is gone though.

  • Locked bootloader and flag set
    Same as above, but FRP is not active. Your data is still as secure, but an attacker could wipe your device and use it themselves.

  • Unlocked bootloader, flag does not matter
    Your data is still encrypted, so if someone has access to your device your data is still secure, but once you start using your phone again after getting it back the following attack vector is possible:
    Since your device is unlocked, a potential attacker could flash a malicious image, that records your passwords, or waits until you decrypt your phone (= enter your password) and send all your data to their computer using the internet.
    Strictly speaking you could consider your phone compromised the first time it leaves your hands and you look away.

Hope that helps :slight_smile:

6 Likes

Thanks, that’s pretty much what I thought!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.