• GeneralPixel 6a

  • Unsubstantiated claims about Cellebrite contradicted by Cellebrite

This thread is presenting extracting data from devices after entering the correct lock method as unlocking them which is not accurate and it's going to be removed. No evidence of what was claimed was provided, and it contradicts what has been previously made available to us last month.

Cellebrite's official documentation as of April 2024 states they cannot even exploit GrapheneOS devices in either BFU or AFU mode to obtain anything from them. They're only able to exploit much older releases before the late 2022 security patch levels. They also state that they have no secure element exploit for the Pixel 6 or later, even with the oldest patch levels. The only functionality Cellebrite claims to offer is extracting the whole filesystem with the lock method provided to them. No evidence has been provided of what was claimed in the title and initial post.

de0u The only functionality Cellebrite offers with GrapheneOS is performing a full filesystem extraction after the correct lock method is provided and the device is unlocked with it. The only working exploits they have since after the late 2022 patch levels are privilege escalation after being granted ADB access which is a very minor problem and not an impressive capability. For the stock OS, they say that they can exploit both BFU and AFU but cannot bypass the secure element brute force protection on the Pixel 6 or later even with the oldest Pixel 6 firmware without security patches. If people don't want to depend on them not successfully exploiting the secure element, they can use a random 6+ word diceware passphrase instead of a random 6-8 digit PIN.

      GrapheneOS The only functionality Cellebrite offers with GrapheneOS is performing a full filesystem extraction after the correct lock method is provided and the device is unlocked with it.

      This is good to know. Thanks for clearly explaining the situation.

        Rarry I can read Swedish, but you need to point to specific page numbers. The documents are 1000+ pages long.

        In any case, the GrapheneOS account has already clarified the situation around Cellebrite.

          flighty_sloth Their documentation says they can exploit all major Android OEM devices both BFU and AFU. If they're BFU, data in profiles is at rest and they need to brute force to obtain it. It says they cannot do a brute force on the Pixel 6 and later but can on all the other listed brands, since they apparently haven't been able to exploit the Titan M2 even for older versions. Their documentation also states they cannot exploit GrapheneOS either BFU or AFU except devices with a patch level earlier than late 2022. This documentation is listing capabilities rather than explaining why anything is the way it is, so we don't know that. We don't have any reason to think they're either exaggerating or understating their capabilities in these official docs.

          Being able to brute force only means they can brute force at the rate the device is able to do key derivation unless they have a way to extract the hardware bound key or this part of it wasn't properly implemented. Pixel 3 and later added time-based throttling based on the secure element, which Cellebrite apparently hasn't been able to defeat for the Pixel 6 and later even for older releases.

          We don't know much about what other forensic companies can do or what governments have developed themselves, but we have access to Cellebrite's official list of capabilities for law enforcement, governments, etc. as of April 2024. It indicates to us that we were much more successful than we expected at defeating their attacks even before our recent focus on it since around January after we found out about the MSAB/XRY use of a fastboot mode firmware vulnerability.

          Fastboot mode attack surface for recovering data from the OS in AFU mode was eliminated in the April security update due to us reporting it being exploited in the wild with a proposal on how to prevent doing it. Ideally, memory would be encrypted with a per-boot key in the SoC both to greatly raise the bar for extracting data from it and so that it gets purged on reboot by simply rotating a key instead of having to actively wipe it. We hear some other companies were using this too. We did not receive any info which would indicate that they were able to use this attack method against GrapheneOS, but we were very concerned about that possibility which is why we pushed hard to get it addressed in the firmware instead of depending on attempting to work around it in the OS or depending on our auto-reboot feature.

              I just finished going through the documents for anything related to GrapheneOS and Google Pixel in general, and in conclusion:

              • There are 0 mentions of GrapheneOS in any of the documents.

              • Halmstads TR B 894-23 Aktbil 451, Protokoll - åtalspunkt 1.1 - 1.pdf has a Cellebrite Extraction Report for a Pixel 6a running Android 13, page 292. Again nothing about GrapheneOS.

              • Halmstads TR B 894-23 Aktbil 449, Förundersökningsprotokoll - åt.pdf contains primarily the interrogations of the suspects. One of the topics they are questioned about is, as the interrogator describes it, a "a Pixel phone, i.e. an encrypted mobile phone?"

                One mention of the Pixel 6A phone (page 607, in Swedish):

              Pixeltelefon – BG28335-1
              Asad har på sig två mobiltelefoner både då han är på Hoom hotell samtidigt som dig och då
              han grips efter det att Nawaf blivit skjuten. Han har en Iphone som är hans sedan tidigare,
              men han har även en Google Pixeltelefon på sig. Varför har man en Pixeltelefon, dvs en
              krypterad mobiltelefon? Var har Asad fått tag i den? Vad användes den till? Varför gick Asad
              runt med två mobiltelefoner då ni befann er i Stockholm? Vem ringde och chattade på denna
              Pixeltelefon?

              Beyond this there is absolutely nothing even remotely related to GrapheneOS so I think we can safely conclude that it never had anything to do with it at all. I presume OP was confused by the description of the Google Pixel phone as "an encrypted mobile phone" and mistook it for being a reference to GrapheneOS.

                The information on iOS is laid out differently and is harder to understand without the context of further information about what Cellebrite means by the terms they use in the tables. It shows they can do the same kinds of stuff they can do for most Android OEMs but it's taking time for them to add the latest generation(s) for all capabilities. The latest iPhones seem to fair slightly better against them than stock OS Pixels but likely mainly because they still need to catch up.

                Also, they can essentially do full filesystem extraction with the lock method provided for anything but we have no interest in that and consider it quite silly that other companies heavily hype up their ability to extract data from GrapheneOS if you unlock the device, enable ADB and authorize ADB access to their product. Not a big deal. There could theoretically be builds without developer options, etc. but it doesn't actually matter and we don't care about the marketing angle to waste resources on it.

                  DeletedUser29

                  Beyond this there is absolutely nothing even remotely related to GrapheneOS so I think we can safely conclude that it never had anything to do with it at all. I presume OP was confused by the description of the Google Pixel phone as "an encrypted mobile phone" and mistook it for being a reference to GrapheneOS.

                  Their post makes specific claims about GrapheneOS versions and Cellebrite software version.

                  @"Rarry What are you basing all of these claims on? It's apparently not these documents, and it doesn't match information we have from elsewhere that's not public.

                      GrapheneOS Indeed. And considering the suspects complete lack of opsec (e.g. there are a lot of pictures of them brandishing guns with their faces fully visible) it is doubtful the police needed any sophisticated methods to access the phones.

                          DeletedUser29 It looks like the author wrongly assumed it was about GrapheneOS because in one report it is written "encrypted mobile phone" when it was a Pixel 6a on Android 13, I don't think the Police used sophisticated methods either when I see the band of idots on the pictures, I wouldn't have had the patience to examine over 1000 pages in Swedish as you did, thanks for your feedback.

                              Xtreix Oh I didn't read all the pages. Ctrl+F did a lot of heavy lifting, so it was mostly a matter of parsing through the keyword hits to see what the context around them were. Which as I said had nothing to with GrapheneOS and mostly concerned "where/why did you have this phone and using Signal to talk to these people?".

                              I also have the fortune of both speaking Swedish and rather liking doing stuff like this so I'm glad it was of use :)

                                  de0u
                                  Don’t worry about it.

                                  We have millions of native speakers who can’t construct a simple declarative sentence in grammatical English.

                                  Your english is fine.

                                    GrapheneOS
                                    Thank you for the valuable information.
                                    This information is very helpful to me.
                                    I would like to investigate in detail Cellebrite's ability to crack smartphones such as Samsung and Apple and each generation of Pixel.
                                    I would also like to know more about the state in which each device can be unlocked, the type and speed of brute force.
                                    If you would like, could you please share the official Cellebrite documentation on this forum or send it to my email address below?
                                    Thank you.
                                    My email address:
                                    onionnetworkside@protonmail.com

                                        OnionNetworkSide there are people working their ass off to get that kind of information and you think they just share to someone unknown such specific information?

                                        I would encourage GrapheneOS to keep thr details and specifics to themselves, let those forensic companies die in their rage ;)