According to the documents, Cellebrite could not unlock any iPhones running iOS 17.4 or newer as of April 2024, labeling them as “In Research.” For iOS versions 17.1 to 17.3.1, the company could unlock the iPhone XR and iPhone 11 series using their “Supersonic BF” (brute force) capability. However, iPhone 12 and newer models running these iOS versions were listed as “Coming soon.”

The Android support matrix showed broader coverage for locked Android devices, though some limitations remained. Notably, Cellebrite could not brute force Google Pixel 6, 7, or 8 devices that had been powered off. The document also specifically mentioned GrapheneOS, a privacy-focused Android variant reportedly gaining popularity among security-conscious users.

Links to the docs:

iPhone

Android

GrapheneOS has a thread about this on Mastodon, which adds a bit more detail:

Cellebrite was a few months behind on supporting the latest iOS versions. It’s common for them to fall a few months behind for the latest iOS and quarterly/yearly Android releases. They’ve had April, May, June and July to advance further. It’s wrong to assume it didn’t change.

404media published an article about the leaked documentation this week but it doesn’t go into depth analyzing the leaked information as we did, but it didn’t make any major errors. Many news publications are now writing highly inaccurate articles about it following that coverage.

The detailed Android table showing the same info as iPhones for Pixels wasn’t included in the article. Other news publications appear to be ignoring the leaked docs and our thread linked by 404media with more detail. They’re only paraphrasing that article and making assumptions.

We received Cellebrite’s April 2024 Android and iOS support documents in April and from another source in May before publishing it. Someone else shared those and more documents on our forum. It didn’t help us improve GrapheneOS, but it’s good to know what we’re doing is working.

It would be a lot more helpful if people leaked the current code for Cellebrite, Graykey and XRY to us. We’ll report all of the Android vulnerabilities they use whether or not they can be used against GrapheneOS. We can also make suggestions on how to fix vulnerability classes.

In April, Pixels added a reset attack mitigation feature based on our proposal ruling out the class of vulnerability being used by XRY.

In June, Pixels added support for wipe-without-reboot based on our proposal to prevent device admin app wiping bypass being used by XRY.

In Cellebrite’s docs, they show they can extract the iOS lock method from memory on an After First Unlock device after exploiting it, so the opt-in data classes for keeping data at rest when locked don’t really work. XRY used a similar issue in their now blocked Android exploit.

GrapheneOS zero-on-free features appear to stop that data from being kept around after unlock. However, it would be nice to know what’s being kept around. It’s not the password since they have to brute force so it must be the initial scrypt-derived key or one of the hashes of it.

  • mctoasterson@reddthat.com
    link
    fedilink
    English
    arrow-up
    41
    arrow-down
    1
    ·
    4 months ago

    Nice to see some benefit to updated vanilla AOSP, Graphene, and other options.

    It goes without saying but it seems like a deeply fucked business model to horde zero-days that could cause billions in damage or safety issues if they fall into the wrong hands, in order to keep your mercenary surveillance product working.

  • Lojcs@lemm.ee
    link
    fedilink
    English
    arrow-up
    42
    arrow-down
    6
    ·
    edit-2
    4 months ago

    Mfw Samsung on android 6 is the most secure 😮. Wonder if it has something to do with the mid boot password option that was around

    Edit: Downvoted in 10 seconds wtf

    • woelkchen@lemmy.world
      link
      fedilink
      English
      arrow-up
      35
      ·
      4 months ago

      Mfw Samsung on android 6 is the most secure 😮. Wonder if it has something to do with the mid boot password option that was around

      More likely: So old, no point in even attempting, therefore not supported.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      12
      ·
      4 months ago

      I think it’s probably a demand issue. There’s just not that many devices running with that Android version, and it takes a lot of time and money to pay engineers to find and use extremely complex state of the art exploits.

        • henfredemars@infosec.pub
          link
          fedilink
          English
          arrow-up
          13
          ·
          4 months ago

          Right. If you’re a sufficiently wanted criminal, I’m sure they could custom an exploit for you. You’re not really secure.

          Probably not economical to include it in their normal package.

  • Adanisi@lemmy.zip
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    Use a long password and you’ll be immune from their before first unlock brute force.

    Passcodes are trivial to break.

    • underisk@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      6
      ·
      edit-2
      4 months ago

      They’re exploiting vulnerabilities and back doors not brute forcing your passcode. The only way you’re keeping them out is with hardware encryption which the iPhone has and probably why it’s the only one not vulnerable. Hardware encryption also won’t matter if your vendor shares their keys with law enforcement. As far as I’m aware, Apple is the only one that’s gone to court and successfully defended their right to refuse access to encryption keys.

      Don’t put anything incriminating on your phones.

      • Adanisi@lemmy.zip
        link
        fedilink
        English
        arrow-up
        7
        ·
        edit-2
        4 months ago

        In a before-first-unlock state they absolutely are bruteforcing, since the filesystem is encrypted. The exploits are for bypassing the retry limit in that case.

        And the manufacturers don’t have your encryption keys. They’re unique.