Awesome as always
Claims made by forensics companies, their capabilities, and how GrapheneOS fares
CatPaw Enabling developer options on Android is already gated by the main lock method. That's part of why it shouldn't be enabled in production, so that it's still gated behind the password. We also put configuring system backups behind the password in the same way with a downstream change.
JayJay It does do full backups. Turn on device-to-device backup mode.
- Edited
DeletedUser29 They can extract more data than you're meant to be able to extract via ADB by escalating privileges there, but having the lock method already gives them nearly all the data directly by design unless there's no backup service included to get app data. They can access everything you can access once they have your lock method which at least indirectly gives them nearly all the data even without a backup service. Regardless, once they have the lock method, the attack surface is enormous and it's not very realistic to stop them at that point. They can install whatever apps they want, grant any permissions they want including special access permissions, accessibility services, etc. and a few development permissions only available via ADB. It isn't at all realistic to prevent an exploit by someone with that control over the device already. Secondary users that are at rest have their data safe from them based on the security of the lock method similarly to Owner when the device is at rest since their encryption keys are separate.
Panda-na Other alternate operating systems aren't hardened and largely roll back security rather than improving it. DivestOS applies a portion of our privacy/security patches, but on top of LineageOS which rolls back security and DivestOS is focused on insecure devices. Cellebrite may still need to do some work in order to support them but it would generally be much easier for them compared to exploiting a stock OS device, not harder.
Wow. Thank you so much for all of the amazing work that goes into this project, seriously!
Not just on the technical side, but the clear and concise communication of best practices, exploit updates, changelogs, community involvement, etc.
I'm constantly blown away by the holistic approach you take and how well its all communicated. I don't know of many projects that are as consistent, and of high quality as GrapheneOS in this department.
I need to get around to setting up Monero so I can begin donating.👌
matchboxbananasynergy We can get the same information from newer months. In the future, we'll avoid sharing screenshots and will simply communicate it via text since to prevent easily tracking down the ongoing leaks.
While I believe in transparency, if refraining from publishing original information protects sources and allows further improvements to GrapheneOS based on real-world exploits I think that is an acceptable tradeoff.
Question if it is ok to ask: I see in the "Android OS Access Support Matrix" that GrapheneOS is supported for BFU and AFU "up to late 2022 SPL". Is it known exactly what vulnerability was patched around that time?
I'm guessing that for AFU they're trying to exploit the running OS to gain code execution and/or read memory. However what are the implications of exploiting a device in BFU state? Because if my understanding is correct there is a limited amount of metadata or other information available in BFU up for grabs and the rest is protected by FBE which requires deriving the hardware backed encryption keys in conjunction with the users unlock password.
Hathaway_Noa Thank you for your service.
That site was rather difficult to download from. Is it ok with you if I mirror it somewhere that is hopefully less annoying and we can crosscheck the hashes of the files?
popsicleman Of course
Question if it is ok to ask: I see in the "Android OS Access Support Matrix" that GrapheneOS is supported for BFU and AFU "up to late 2022 SPL". Is it known exactly what vulnerability was patched around that time?
No, we don't know what exactly was patched or improved either upstream or in GrapheneOS which blocked their exploits. We do know they weren't able to find another way to exploit GrapheneOS since then, which is great news. We recently implemented massive security improvements including the USB-C port control feature and previously memory tagging after the launch of the Pixel 8 so it should be much harder than it was before to exploit GrapheneOS. We also got those improvements made to the Pixel firmware upstream in April, and there are more improvements based on our reports pending right now.
I'm guessing that for AFU they're trying to exploit the running OS to gain code execution and/or read memory. However what are the implications of exploiting a device in BFU state? Because if my understanding is correct there is a limited amount of metadata or other information available in BFU up for grabs and the rest is protected by FBE which requires deriving the hardware backed encryption keys in conjunction with the users unlock password.
They need the BFU exploit to do a brute force of the lock method, but they can't currently do it on the Pixel 6 or later even with older releases due to the Titan M2 throttling. There's some info such as installed apps they can get there. We could provide the option of a boot passphrase since the current encryption is really filesystem-based full disk encryption and does encrypt every block similar to dm-crypt. There's a global key for metadata and then per-directory keys for file data and filenames which is how profile data is encrypted separately. We COULD provide support for setting a boot passphrase for encrypting the pre-unlock data such as installed APKs, Wi-Fi configuration, etc. along with the metadata blocks with file sizes. It's simply not one of the top priorities right now.
Pixels have had this throttling (Weaver) with the same rate limiting since the Pixel 2 added it via an NXP security chip alongside insider attack protection by requiring Owner authentication before accepting a signed firmware upgrade that's not a downgrade (see for details on Weaver). It appears they were able to eventually figure out how to exploit the NXP secure element on the Pixel 2 and were able to eventually exploit the ARM-based Titan M on 3rd/4th/5th generation Pixels. The fully custom RIXC-V Titan M2 introduced with the Tensor SoC Pixels has held up against them for years, and it appears similar for the other forensic companies based on the info we have. We do still recommend people who need their data secure indefinitely use a strong passphrase, and we're going to be making that a long more convenient via the 2-factor fingerprint unlock feature. Strong passphrase primary unlock with fingerprint+PIN secondary unlock will be the recommendation for high threat models, with the usual random 6 digit PIN recommendation as a baseline.
Hi, I want to ask when you say latest iphones are you talking about the iphone 15 lineup or 14 as well?
Hathaway_Noa Let's give Proton Drive a try.
SHA256 hashes (please crosscheck for authenticity):
952db145ab34af68d51e5040cac4389cb99b31a41512dd93c905ad7baf2d4c21 Android+Support+Matrix+7.69.1.pdf
6446ee8a33e6b60e7060bcb8985a3c06ff7da24c98a1274e5c49f555f260aa24 Triage+Profile+Management+Offline+Tool+Guide.pdf
d9317473de82985f8f16e7f649441c390ee0b09319760ed1ceb826a7eb0c452c iOS+Support+Matrix+7.69.1.pdf
- Edited
Turtle12345 Look at the iPhone/iPad tables from the screenshots of the documentation we've provided:
It's only the latest device generation and OS versions which aren't fully supported yet.
17.4 was released in March and this documentation is from April meaning it doesn't reflect improvements they made in April and May. Less than a month is not enough time to draw any conclusion that they have any major issues with 17.4. You can see that they have support for earlier releases shipping soon for everything but the iPhone 15, which has been out for enough time to give the impression that it must be at least somewhat harder for them to deal with it or it simply changed a lot of things they need to adapt to.
Says pixel 6 and later, does this include 6a as it's not as powerful as the pixel 6?
FiscalPixel Pixel 6a is a 6th generation Pixel, so it applies to it too.
- Edited
I'd like to point out that Cellebtite has been able to extract plaintext iPhone passcode (Instant Passcode Retrieval) from AFU iPhone since A11.
It means that
- Secure Enclave RAM is not clearing iPhone passcode properly after user input. Theoretically, as soon as the Secure Enclave derives KEK, the plaintext iPhone passcode should be wiped from Secure Enclave RAM immediately and renders IPR cryptographically not possible. Can someone file a security report with Apple security?
- Cellbrite can dump Secure Enclave RAM since A11.
Titian M2 on pixel seems to prevent such code execution or memory dump for now. However, can we be sure that the pixel passcode is cleared by Titan M2 RAM after authentication?
Furthermore, Android security model exposes all cryptographic key in AP RAM even in AFU mode. This renders memory dump on Titan M2 RAM unnecessary because AP RAM dump is enough for all user data. Is it possible to implement NSFileProtectionComplete keys in graphene os such that specific applications can opt in to use such keys to make data cryptographically inaccessible in AFU mode?
When IPR makes this point almost irrelevant, iPhone Supersonic BF is still limited by Secure Enclave Processor's power. "The iteration count is calibrated so that one attempt takes approximately 80 milliseconds." Such 80ms delay is enforced by cryptography and cannot be bypassed by gaining code execution on secure enclave and can only be bypassed by extracting UID physically from the fuses of the SoC.
What's the iteration count and the cryptography delay of passcode derivation on Titan M2 used by graphene os? The standard delay (5 failed attempts: 30 second delay, etc) is enforced by Titan M2 and can be bypassed once code execution is obtained on the Titan M2
[deleted] delays between failed PIN/password attempts are listed in this section:
Also, this bullet point from the 2024020500 release might be informative:
run full compacting garbage collection purging all regular Java heaps of dead objects in SystemUI and system_server after locking (this is already done after unlocking to purge data tied to the lock method and derived data, but it makes sense to do it after locking too)
Secure Enclave RAM is not clearing iPhone passcode properly after user input. Theoretically, as soon as the Secure Enclave derives KEK, the plaintext iPhone passcode should be wiped from Secure Enclave RAM immediately and renders IPR cryptographically not possible. Can someone file a security report with Apple security?
The conclusion you're drawing from this information is wrong. The OS implements the lockscreen and no issues with the secure element are needed for data to persist in the OS and be obtained via an OS exploit. They do appear to have secure enclave exploits but that's not an inherent requirement for this capability.
Cellbrite can dump Secure Enclave RAM since A11.
They can likely get code execution on it rather than only dumping the memory, but it's not implied by that capability. It would be unusual if they could dump the memory without getting code execution.
Titian M2 on pixel seems to prevent such code execution or memory dump for now. However, can we be sure that the pixel passcode is cleared by Titan M2 RAM after authentication?
That's not how encryption works on Pixels and isn't how the secure element is integrated. It doesn't have access to the lock method but rather receives a key derived by the OS from the initial key derived via scrypt from the lock method. The final key derivation happens in the TEE via a hardware-bound algorithm.
Furthermore, Android security model exposes all cryptographic key in AP RAM even in AFU mode. This renders memory dump on Titan M2 RAM unnecessary because AP RAM dump is enough for all user data. Is it possible to implement NSFileProtectionComplete keys in graphene os such that specific applications can opt in to use such keys to make data cryptographically inaccessible in AFU mode?
That's not how encryption works on Pixels. The keys aren't available to the OS or in regular memory. You're missing that the SoC provides hardware encryption features, not only the secure element. Wrapped keys are used for disk encryption rather than them being in regular memory or accessible to the OS at any point.
Android already does provide apps with the ability to keep data at rest while the locked is locked. You've been misinformed about this. Android does not yet have a data class for keeping data at rest when locked but that doesn't mean it isn't a supported feature already. It can be done via the hardware keystore. Android is in the process of adding a data class for this purpose to make it more efficient and easier to implement. It would serve no purpose for GrapheneOS to add an API that's not actually going to be used by apps, and we'd be stuck maintaining that forever instead of using the upcoming standard implementation. It's already possible for apps to keep data at rest while the device is locked via the keystore APIs across Android, so it's highly unlikely they would use a GrapheneOS specific API. It's not a realistic approach to improving things. If app developers cared about this, they'd already be keeping data at rest while locked but they aren't doing it on Android or iOS in general. That iOS feature is hardly used and the harder to use Android feature is actually used more broadly due to apps like Molly... showing that making this easier and more efficient is not everything.
When IPR makes this point almost irrelevant, iPhone Supersonic BF is still limited by Secure Enclave Processor's power. "The iteration count is calibrated so that one attempt takes approximately 80 milliseconds." Such 80ms delay is enforced by cryptography and cannot be bypassed by gaining code execution on secure enclave and can only be bypassed by extracting UID physically from the fuses of the SoC.
Android has hardware-bound key derivation too. You should really read our encryption FAQ. Such a short delay makes no difference with the typical lock methods that are being used. It only helps with a decent passphrase, which few people use, and the few people that do are likely using fingerprint unlock to make it more convenient which is a major weakness.
What's the iteration count and the cryptography delay of passcode derivation on Titan M2 used by graphene os? The standard delay (5 failed attempts: 30 second delay, etc) is enforced by Titan M2 and can be bypassed once code execution is obtained on the Titan M2
That's not how the encryption is implemented. Hardware-bound key derivation happens on the SoC from the TEE. With a random 6-8 digit PIN, the key derivation work factor from scrypt in the OS and hardware-bound key derivation in the TEE doesn't make it secure. It requires a passphrase with more entropy to truly work. The hardware-bound aspect can only be bypassed through extracting the key from the hardware if it's correctly implemented and cannot be obtained through TEE code execution.
- Edited
GrapheneOS The conclusion you're drawing from this information is wrong. The OS implements the lockscreen and no issues with the secure element are needed for data to persist in the OS and be obtained via an OS exploit. They do appear to have secure enclave exploits but that's not an inherent requirement for this capability.
I'm talking specifically about iOS here. iOS in contrast to Android has NSFileProtectionComplete. " Shortly after the user locks a device (10 seconds, if the Require Password setting is Immediately), the decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again or unlocks (logs in to) the device using Face ID or Touch ID."
What you're referring to is an AFU extraction. The difference between an AFU extraction and FFS extraction is that data protected by NSFileProtectionComplete such as keychain data is not available in AFU extraction on iOS. On Android, AFU and FFS are the same due to lack of NSFileProtectionComplete class keys and no secure element exploit is needed for AFU or FFS extraction.
Full File System (FFS) Extraction:
The most comprehensive type of extractions you can get on these devices.
Required to gain access to deeper information like health, Keychain data (on iOS), and location/breadcrumb data that shows where the device has been.
AFU Extraction:On Android: Get the same data as a full file system extraction.
On iOS: Different levels of access depending on the device state can limit the information you can extract. (For example, Keychain, location data, and email accounts that may require passcode access)
Furthermore, even with secure enclave code execution, the plaintext passcode shouldn't be recovered if Apple had implemented it correctly. Because only the passcode verifier value i.e hash of (passcode + salt) is saved by the Secure Storage Component. However, Cellebrite specifically claims they can get iPhone plaintext passcode, suggesting Secure Enclave RAM is not clearing iPhone passcode properly after user input. Please see Cellebrite's explanation of IPR IPR.jpg
GrapheneOS That's not how encryption works on Pixels and isn't how the secure element is integrated. It doesn't have access to the lock method but rather receives a key derived by the OS from the initial key derived via scrypt from the lock method. The final key derivation happens in the TEE via a hardware-bound algorithm.
Please forgive my ignorance about how key derivation works on Android. All iOS data protection key derivation happens in secure enclave on iOS. You're saying on Android, the first part of key derivation happens on AP, then on TEE in Titan M2?
GrapheneOS The keys aren't available to the OS or in regular memory. You're missing that the SoC provides hardware encryption features, not only the secure element. Wrapped keys are used for disk encryption rather than them being in regular memory or accessible to the OS at any point.
You're right. Cellebrite claimed they can do FFS on pixel 8. They must have at least gained code execution on AP on AFU mode and used AP to communicate with Titan M2 to decrypt data if not code execution on Titan M2 itself, correct?
GrapheneOS Android already does provide apps with the ability to keep data at rest while the locked is locked. You've been misinformed about this. Android does not yet have a data class for keeping data at rest when locked but that doesn't mean it isn't a supported feature already. It can be done via the hardware keystore. Android is in the process of adding a data class for this purpose to make it more efficient and easier to implement. It would serve no purpose for GrapheneOS to add an API that's not actually going to be used by apps, and we'd be stuck maintaining that forever instead of using the upcoming standard implementation. It's already possible for apps to keep data at rest while the device is locked via the keystore APIs across Android, so it's highly unlikely they would use a GrapheneOS specific API. It's not a realistic approach to improving things. If app developers cared about this, they'd already be keeping data at rest while locked but they aren't doing it on Android or iOS in general.
Thank you informing me that Android is already implementing something similar
GrapheneOS That iOS feature is hardly used and the harder to use Android feature is actually used more broadly due to apps like Molly... showing that making this easier and more efficient is not everything.
According to you, even without setting any additional database password on Molly, AFU extraction will not yield the plaintext database? Didn't say anything about this. Possible for @Nuttso to clarify?
GrapheneOS ndroid has hardware-bound key derivation too. You should really read our encryption FAQ. Such a short delay makes no difference with the typical lock methods that are being used.
GrapheneOS That's not how the encryption is implemented. Hardware-bound key derivation happens on the SoC from the TEE. With a random 6-8 digit PIN, the key derivation work factor from scrypt in the OS and hardware-bound key derivation in the TEE doesn't make it secure. It requires a passphrase with more entropy to truly work. The hardware-bound aspect can only be bypassed through extracting the key from the hardware if it's correctly implemented and cannot be obtained through TEE code execution.
I've read FAQ multiple times before posting. In fact, I specifically referred to the 5 failed attempts: 30 second delay in my original posting.
Let me rephrase my question to make it more concrete.
My question is, if secure enclave/Tian M2 is totally compromised with full code execution, and a brute force attack is performed on device, how long does it take to brute force a six-character alphanumeric passcode with lowercase letters and numbers?
Apple claims that The passcode or password is entangled with the device’s UID, so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. In fact, it would take more than five and one-half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.
How long does it take for a pixel phone with standard os and graphene os respectively?
Keep in mind that the delay mentioned in FAQ reproduced below is all bypassed due to code execution on Titan M2
Standard delays for encryption key derivation enforced by the secure element:
0 to 4 failed attempts: no delay
5 failed attempts: 30 second delay
6 to 9 failed attempts: no delay
10 to 29 failed attempts: 30 second delay
30 to 139 failed attempts: 30 × 2⌊(n - 30) ÷ 10⌋ where n is the number of failed attempts. This means the delay doubles after every 10 attempts. There's a 30 second delay after 30 failed attempts, 60s after 40, 120s after 50, 240s after 60, 480s after 70, 960s after 80, 1920s after 90, 3840s after 100, 7680s after 110, 15360s after 120 and 30720s after 130
140 or more failed attempts: 86400 second delay (1 day)
GrapheneOS The OS implements the lockscreen and no issues with the secure element are needed for data to persist in the OS and be obtained via an OS exploit.
I agree that it's conceivable that an AP exploit by itself exploit enables this. However, on iOS 15-15.8.x, A11-A13 has no IPR while on the same exact OS version, A14-A15 does. Perhaps it's more of an engineering constrain rather than a technical limitation.
I'm talking specifically about iOS here. iOS in contrast to Android has NSFileProtectionComplete. " Shortly after the user locks a device (10 seconds, if the Require Password setting is Immediately), the decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again or unlocks (logs in to) the device using Face ID or Touch ID."
Android currently provides this feature via the keystore API. It is possible for apps to keep data at rest while the device is locked, just like iOS, and if they use StrongBox it's based on the secure element. Whether the keystore keeps keys marked as requiring user authentication and an unlocked device at rest rather than just disallowing usage is a quality of implementation issue specific to devices which we don't know much about at this point.
Android is adding a similar data class for data that's at rest while locked to avoid apps needing to use another layer of encryption via the keystore as they currently do. This DOES NOT mean that more iOS apps keep data at rest while locked. Signal doesn't do it on either Android or iOS, but Molly exists on Android which in addition to their app passphrase uses the StrongBox keystore with a key requiring authentication and an unlocked device. Apps could transparently use the keystore that way without an app passphrase too.
What you're referring to is an AFU extraction. The difference between an AFU extraction and FFS extraction is that data protected by NSFileProtectionComplete such as keychain data is not available in AFU extraction on iOS. On Android, AFU and FFS are the same due to lack of NSFileProtectionComplete class keys and no secure element exploit is needed for AFU or FFS extraction.
That's not correct. Android supports keeping data at rest while locked. Those are not the same thing. Neither OS has much data kept at rest while locked in practice. iOS makes this easier for app developers but easier does not mean more apps actually use it. Molly and several Android TOTP apps are counterexamples to that assumption.
Furthermore, even with secure enclave code execution, the plaintext passcode shouldn't be recovered if Apple had implemented it correctly. Because only the passcode verifier value i.e hash of (passcode + salt) is saved by the Secure Storage Component. However, Cellebrite specifically claims they can get iPhone plaintext passcode, suggesting Secure Enclave RAM is not clearing iPhone passcode properly after user input. Please see Cellebrite's explanation of IPR IPR.jpg
The info you're quoting isn't correct since it ignores the hardware keystore on Android. Not everything they claim is correct.
Please forgive my ignorance about how key derivation works on Android. All iOS data protection key derivation happens in secure enclave on iOS. You're saying on Android, the first part of key derivation happens on AP, then on TEE in Titan M2?
Android does the first part of key derivation in the OS via scrypt. It derives keys with a simple personalized hash approach for each purpose from the scrypt key derivation, which is then passed along to the different use cases. One of those is the Weaver feature implemented by the secure element. Another is the initial authentication of the Owner user with the secure element which authorizes signed updates with a newer version of secure element firmware. Another is unlocking the keystore.
The Weaver token is how Android implements time-based throttling via the secure element. The secure element has no direct involvement in key derivation. It's not super high performance hardware and is a poor place to do that for protecting against attackers able to bypass all the hardware-based security features.
The final key derivation is done in the Trusted Execution Environment (TEE) on the main SoC, which means in TrustZone. It uses an SoC cryptographic acceleration feature providing hardware-bound key derivation as one of the features. The hardware-bound aspect means that exploiting the TEE shouldn't provide any way either direct or indirect via side channels to get access to the key used in the hardware-bound key derivation algorithm. On Snapdragon, the Qualcomm Crypto Engine provides these features and is meant to be used in the TEE applet for this.
On Pixels and most modern Snapdragon devices, the OS does not receive the decrypted disk encryption keys but rather handles for using them. This is called the wrapped key feature. This prevents a kernel information leak, etc. from leaking the encryption keys. They're also presumably not meant to be available via a memory dump. We haven't verified this but the information from XRY, Cellebrite, etc. appears to indicate that works properly. Otherwise, XRY would not have had to use a leftover hash or something like that in memory to brute force the lock method. They did not appear capable of doing this with GrapheneOS, but further work has been done on GrapheneOS to rule out other ways this could happen by running full compacting GC which zeroes the old heap for SystemUI / system_server when the screen is locked, not just the standard of doing it a bit after unlocking to wipe leftovers of the lock method, etc. We also made some other changes and began auditing this.
You're right. Cellebrite claimed they can do FFS on pixel 8. They must have at least gained code execution on AP on AFU mode and used AP to communicate with Titan M2 to decrypt data if not code execution on Titan M2 itself, correct?
FFS is when they have the user's lock method already, so all it has to involve is exploiting the device from ADB shell after enabling developer options with the lock method, enabling ADB and authorizing their access. It's not any kind of fancy exploitation.
Thank you informing me that Android is already implementing something similar
The Android hardware keystore is what to look into if you want to know more. There are 2 hardware keystores on Pixels: the traditional TEE (TrustZone) keystore which encrypts data and stores it in regular storage and the StrongBox keystore provided through the secure element since the Pixel 3. Pixel 2 had a secure element with insider attack protection (Owner authentication needed to update firmware via valid signed updates with newer version) and Weaver (covered in but predates StrongBox being available.
According to you, even without setting any additional database password on Molly, AFU extraction will not yield the plaintext database? Didn't say anything about this. Possible for @Nuttso to clarify?
It uses the StrongBox keystore and should be setting the key as requiring an unlocked device. You can check the code to see if it does that.
My question is, if secure enclave/Tian M2 is totally compromised with full code execution, and a brute force attack is performed on device, how long does it take to brute force a six-character alphanumeric passcode with lowercase letters and numbers?
On Android, this is based on the combination of the standard scrypt key derivation which can be offloaded elsewhere without an exploit and the final hardware-bound key derivation done within the TEE (TrustZone). There cannot be a specific answer for how long it takes and an attacker could extract the key from the hardware to offload the hardware-bound key derivation part. The amount of time spent on hardware-bound key derivation varies by device and we don't know specifically how long it's configured to take in each Pixel generation.
How long does it take for a pixel phone with standard os and graphene os respectively?
It's currently the same and we can only increase the scrypt part. The hardware-bound key derivation part is in the TEE and we can't change that firmware beyond requesting improvements as we've done successfully in several areas.
Keep in mind that the delay mentioned in FAQ reproduced below is all bypassed due to code execution on Titan M2
The FAQ explains that there's scrypt key derivation in the OS and then at the end there's hardware-bound key derivation in the TEE similar to the secure enclave key derivation on iOS. The details of the hardware-bound part vary by device and are drastically different on Snapdragon vs. Tensor along with evolving significantly over time on Snapdragon. We know more about how it works on Snapdragon than Tensor.