GrapheneOS and forensic extraction of data

Freedomain

Blastoidea please link the final publish so that everyone can share! Great article.

Blastoidea

Sometimes I wonder why Google doesn’t do at least some of the more obvious things to harden up Android.

[deleted]

Matthai Cellebrite has been able to extract Signal messages only if user unlocked the phone and Signal app and hand it to the forensic examinator.

I'm unclear on this point. According to https://discuss.grapheneos.org/d/12848-claims-made-by-forensics-companies-their-capabilities-and-how-grapheneos-fares/71 it seems that even an AFU extraction is enough.
Though forensic tools claim only FFS could produce signal text database https://discuss.grapheneos.org/d/12848-claims-made-by-forensics-companies-their-capabilities-and-how-grapheneos-fares/69

Matthai

Yes, Signal's database is encrypted. So you need to need to extract the Signal database and the encryption key from the keychain/Android Keystore system. Or try bruteforce Signal database without the key, but good luck with that.

See this:

Unlike other applications, such as Whatsapp, Telegram, Messenger, etc., SIGNAL keeps its local database (signal.db) encrypted in AES-GCM mode, that is, even if it is possible to collect such a base through a collection physical (ROOT and others) or logical (DOWNGRADE), nothing can be done while it is not decrypted. For this, we have to obtain three values to decrypt the database, the first is the value of the key that is in the USERKEY_SignalSecret file, in HEXADECIMAL format, located in the KEYSTORE of the device. The other values are present in the XML file, org.thoughtcrime.securesms_preferences.xml, located in Signal's root folder, being the CIFREADED TEXT with AUTHTAG (authentication TAG) + IV, all in BASE64 format.

Source: https://github.com/AvillaDaniel/Signal-Forensics

RandomlyGeneratedName1

What about GrapheneOS? According to the documents, Cellebrite admits they can not hack GrapheneOS if users had installed updates since late 2022.

What happened before 2022?

Matthai

RandomlyGeneratedName1
After that there has been a patch, preventing data extraction. I guess GOS developers disabled some exploit they (Cellebrite) was using.

Matthai

I will add this to the article:

Short notice: Signal's local database on a phone is encrypted. So you need to need to extract the Signal database from the filesystem first, and then to you need to obtain three values to decrypt the database. The first is stored in so called Keystore system, and the other two values are stored in the XML file on the phone's file system. It is important to know that cryptographic keys stored in a Keystore system are more difficult to extract from the device, because once keys are in the Keystore, you can use them for cryptographic operations, with the key material remaining non-exportable.

[deleted]

Matthai It seems that even though the key is available in AFU and theoretically can be extracted in AFU, it is technically hard to extract the key. It's not bulletproof and dependent on secure element not being compromised.

[deleted]

There was a picture from early 2023 of Europol evidence sheet having extracted signal messages from Pixel 7 running graphene OS.

Not sure on the ins and outs of what state the phone was in etc.

sandking414

[deleted] do you have a link of article or picture by any chance ?

Matthai

You mean this:
https://discuss.grapheneos.org/d/7658-seized-graph-phone-swe-police

It says that in that case undercover police grabbed phone while it was unlocked...

[deleted]

Matthai no. It was Spain or Holland I can't remember and referred to drug trafficking of weed.

Edit I'm sure it was spain

[deleted]

sandking414 I don't now I seen it early last year and I didn't know these chat rooms existed at the time but it's concrete and it happened.

Matthai

Here is the link to my blog, where I published this: https://telefoncek.si/2024/05/2024-05-30-grapheneos-and-forensic-extraction-of-data/

I know, it is "just" a blog, but it is important, that information gets out.

GrapheneOS

[deleted] It's the TEE and SoC inline cryptographic acceleration hardware, not the separate secure element chip.

GrapheneOS

The exploit for GrapheneOS versions before late 2022 might have been developed after 2022. We don't have that info.

Blastoidea

What, exactly, is on the Titan chip?

GrapheneOS

Blastoidea An authentication token for Owner to prove they logged in to enable accepting firmware updates (insider attack resistance), lock state, verified boot state (OS versions, user flashed verified boot key), StrongBox hardware keystore used by apps, factory reset protection data (not used by GrapheneOS) and the Weaver slots. Hardware-based attestation is part of the StrongBox keystore API and tied to verified boot and other info passed by the boot chain on the main SoC. There's authenticated encryption between the secure element and the SoC secure core, so they're paired together at the factory. It's a separate chip so communicating with it has too much latency for it to be involved directly in disk encryption beyond the Weaver feature providing time-based throttling and more reliable data wiping for user profiles.

GrapheneOS

This is off-topic for this thread.