• Announcements
  • Claims made by forensics companies, their capabilities, and how GrapheneOS fares

de0u If there's a 10 diceware word passphrase, as in 128 bits of entropy, then there would need to be truly massive breaks in AES, scrypt or the other cryptography used as part of key derivation to recover any of the data in that profile. Cryptography is considered broken when an algorithm meant to have 128 bit security has an attack reducing the security to 127 bits even only in a certain edge case. It's using AES256 rather than AES128 so even a massive break 30 years from now reducing AES256 to 100-bit security doesn't mean any data can be recovered. The disk encryption is already protected against theoretical powerful quantum computers, unlike TLS connections with ed25519 key exchange or using AES128 instead of AES256.

    GrapheneOS If there's a 10 diceware word passphrase, as in 128 bits of entropy, then there would need to be truly massive breaks in AES, scrypt or the other cryptography used as part of key derivation to recover any of the data in that profile.

    It sounds as if AES-256 with a 128-bit random key is good enough for a long time, even hopefully quantum-resistant. That's good to know.

    The question about the iPhone scenario (uppa9) was "alphanumerical passphrase of 20+". I think (26+26+10)20 is pretty close to 2128, so it sounds as if that scenario is probably good too, assuming the passphrase is truly random?

      de0u Adding a couple more lowercase letters usually makes more sense than using uppercase. It's very rare that anyone would be entering a password consisting of completely random characters though. It's generally harder to remember and type correctly than a diceware-style passphrase, although it'd be a lot shorter.

      • Edited

      They say that Supersonic BF can only do around 5000 guesses per day:

      https://blog.elcomsoft.com/2023/06/what-forensic-vendors-dont-like-to-tell-their-customers-part-2/

      In case if you are curios, “supersonic” brute-force is slightly above 5,000 APD (Attempts Per Day); I am not saying this speed is bad (especially as most other vendors cannot do that at all), but I definitely would not call it “supersonic”.

      Is this true or bullshit? If it's true then why the hell is it so damn slow?

      matchboxbananasynergy https://grapheneos.social/system/media_attachments/files/112/462/760/076/651/069/original/abb6bfdb2d3cbc6a.png

      As a laymen I'm still confused after reading the thread. Why is it possible to extract data from devices which are cold BFU (1st column) 6th+ gen pixels included? Is the first column only applies to encrypted data, meaning data is extracted, but it's encrypted?
      It's possible to bruteforce the encryption key for most other types of devices – except 6th and latter Pixels – because the secure elements has been bypassed which means throttling is disabled, which in turn allows for decryption of the extracted encryption data?
      Hope I'm not completely misunderstanding the whole chart.

        • Edited

        ticklemyIP These companies can't bypass the throttling on Pixel 6 and up. They can do it on every other device. Maybe not on the latest iPhone, but I think they will figure it out pretty quick.

        According to the latest iOS Support Matrix 7.69.5 (as of July) uploaded by a Reddit user, Cellebrite can unlock up to iOS 17.5.1. Also, it seems that the CAS service (not Premium or Inseyets) can unlock the iPhone 15.

        https://imgur.com//WpuUNGh

          de0u

          Appreciate you replying back. And the follow up comments have been very helpful.

          orangecola There's one / too many in that link. Also, yes, would be nice to have a link to the Reddit post in question.

            @Hathaway_Noa It appears there's newer documentation showing they caught up to the latest iOS. Do you have access to it?

              https://grapheneos.social/@GrapheneOS/112814183717082534

              Our thread properly explains the info in the tables including their inability to exploit Pixel 6 or later secure element and only partially bypass it on iPhone 12 or later.

              So this guy is saying that Supersonic BF can only do 5000 guesses per day: https://blog.elcomsoft.com/2023/06/what-forensic-vendors-dont-like-to-tell-their-customers-part-2/

              Is it because Cellebrite can only partially bypass the secure element on iPhone 12 or later?

                Lukas They'll fully bypassing the secure element before the iPhone 12 and Pixel 6. They appear to refer to that level of on-device brute force as supersonic brute force for iPhones. It's still not something they can offload to a server farm without extracting the hardware-bound key from hardware to offload it elsewhere. That means there's an on-device work factor for each key derivation attempt. This is not meant to be possible to bypass with exploits but rather is meant to require extracting the key from the hardware with advanced equipment, with barriers in the way of doing that successfully. These tools inherently can't bypass that based on the limitation of the approach unless there's a major flaw in how it was implemented. It all makes sense based on the design that's used. iPhone 12 and later are likely still having their secure element exploited but they made another layer of security for the secure element's throttling of attempts and it would be harder to bypass that. Titan M2 is likely significantly more secure in practice and they simply haven't been able to compromise it yet. We don't know if they have another layer of security within the Titan M2 for Weaver, but our expectation is that it's simply a lot harder to get any code execution on the Titan M2 in the first place. iPhones have done some things better and Pixels have done some things better.

                We don't have much information about what Pixels currently do in the final TEE phase of key derivation. What they do there is important because that's what provides the work factor which is meant to be impossible to offload to a server farm. The OS uses scrypt which can be offloaded to a server farm, so it's up to the TEE to use hardware-bound key derivation where a TEE exploit can't obtain what's needed to offload it. The TEE does not implement the time-based throttling but rather the secure element does that. Android's secure element is different than the iOS one too. It's a separately manufactured chip with authenticated encryption between it and the main SoC via pairing at the factory. iOS uses a separate processor on the same SoC. iOS approach provides lower latency and higher throughput, but it can't be manufactured substantially differently. The Pixel approach means they can theoretically defend better against physical attacks, but we don't have details on what they're doing to defend against those attacks since it's not at all public and has nearly zero public research about it, unlike firmware security research where there's some information available.

                horde

                Clicking on that link and then the link for imgr shows nothing. Image can't be found.