GrapheneOS
Disable any existing non charging usbc functionality in Lockdown mode
This should be a baseline feature. When the device enters lockdown state, any existing non charging usbc functionality should be disabled no matter what usbc option is. New non-charging functionality should also be disabled until next successful unlock Apple have a similar feature
These data connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication.
This does not make sense, why should it be more hardened in lockdown mode than in Before First Unlock? If your settings allow more lax usage of USB-C in Before First Unlock, the adversary may just reboot the device then connect the USB-C.
I believe lockdown only applies to a single user. If you have multiple users, then they may simply switch user. You would have to set every running user into lockdown at once.
Edit: this is wrong, Lockdown applies across the entire device, not just a single user.
Apple writes,
In addition, if it’s been more than 3 days since a data connection has been established with an accessory, the device will disallow new data connections immediately after it locks. This is to increase protection for users who don’t often make use of such accessories. These data connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication.
The user can choose to re-enable always-on data connections in Settings (setting up some assistive devices does this automatically).
We already have something just as good: Exploit Protection > USC-C port > Charging-only when locked.
If it is really an emergency, like if someone is about to attack you or snatch your device in the moment, then you likely will not have time to hold the power button to click "Lockdown."
As an alternative to the issue description, I might suggest making "Charging-only when locked" a default, and to have the "USB-C port and pogo pins" options be on the setup wizard when setting up the device for the first time.
We already have something just as good:
What we're doing is much better. It blocks all new USB connections in software and hardware. Once none are established anymore, it disables USB data completely. What we do by default is better than their most strict USB configuration. We could have a way to timeout active USB connections after locking, but auto-reboot does already exist as an upper bound.
What we do by default is better than their most strict USB configuration.
I thought that "Charging-only when locked" is not the default, but I must have forgot that it actually is. I have it set to this, and the docs say this too https://grapheneos.org/usage#usb-c-port-and-pogo-pins-control
The default is Charging-only when locked, [...].
So the issue here is only helpful if someone intentionally lowered the exploit protection settings and set their device into Lockdown? It sounds like leaving the default would avoid the entire issue at hand while doing a better job at protecting the device.
The default fully disables USB data while locked if USB isn't in active use. You can connect a USB device while unlocked and it will keep working after locking. Our interpretation of this request is asking for lockdown to temporarily force it to charging-only while locked (the default) and end existing USB connections so that USB data gets disabled by the feature right away.
Aosp has this feature already in the OS level https://android.googlesource.com/platform/frameworks/base/+/dbd2410fd1431aba65d6e3b6b6a937f91dad6e47%5E%21/