GrapheneOS Cellebrite's current documentation shows they can exploit iOS 18 and later versions

What sense is there to be afraid of Cellebrite if they use these vulnerabilities only to read the encrypted file system image? But the file system remains encrypted. A password longer than 10-15 characters does not even make sense to brute force. They cannot bypass password protection even on the Samsung S20 etc. All attempts to prevent access to the USB port are attempts to prevent reading the file system image, but no one will brute force a password longer than 10 characters. A good password, updating the system and rebooting the phone for a few hours - completely makes the phone invulnerable on any version of the latest OS. Sorry for my bad English

      Alllus Their give them access to essentially all of the data on the device for devices in the After First Unlock state which is the typical situation.

      They cannot bypass password protection even on the Samsung S20

      They can bypass passwords with brute force since people usually don't set strong random passphrases. Samsung devices do not successfully block brute force like modern iPhones and Pixels are doing successfully with their secure elements.

      All attempts to prevent access to the USB port are attempts to prevent reading the file system image

      No, that's not what they're doing. They're exploiting the device to gain control over it and access everything the OS can access, which is essentially everything on the device in After First Unlock state.

      A good password, updating the system and rebooting the phone for a few hours - completely makes the phone invulnerable on any version of the latest OS.

      Rebooting most Android devices doesn't clear the memory. People also often don't get a chance to reboot or power down in these situations even if they know that's a good idea.

      Our locked device auto-reboot feature automatically returns the device to the Before First Unlock state in combination with other features for zeroing memory, etc. Before that, the device still needs to defend itself from being exploited.

      Aside from that, a password is hardly immune to brute force unless you use something like 6+ random diceware words or 18+ random letters/digits.

          GrapheneOS Aside from that, a password is hardly immune to brute force unless you use something like 6-8 random diceware words.

          Do you think that the police will do BruteForce PIN code of more than 10-15 digits BFU State? Even Oxygen Forensic Detective does not see it appropriate to hack a PIN code of more than 9 digits. All BruteForce templates are designed for a graphic key (up to 9 points) and PIN code (up to 9 digits). Everything else is months and years. The criminalistic police department has hundreds of smartphones for analysis per week ...
          In addition - it makes no sense to reboot in a few hours, if the UFED - is a mobile portable device and the dump of your owner’s phone will be extracted immediately during a police search of the apartment (in AFU State).

          The user of the phone that has with important data - must do all efforts to turn off the phone before his return to the police. With one button or gesture of the finger. Any options.

          P.S. Support for Pixel 8 and 9 (Physical Dump ( ADB(Rooted) ), File Dump (Android Backup, APK Downgrade), Logical (Apps Data, Phone book, Call logs, SMS etc) ) added to the UFED version 7.72 (release from 2024-10-31).

          GrapheneOS - nice security OS, but no Applepay/Gpay method payment(((. Its very important minus for me..

              Alllus

              In addition - it makes no sense to reboot in a few hours, if the UFED - is a mobile portable device and the dump of your owner’s phone will be extracted immediately during a police search of the apartment (in AFU State).

              Cellebrite Premium doesn't have exploits which work with GrapheneOS with a patch level later than mid-2022. The purpose of the locked device auto-reboot feature is getting the device back to Before First Unlock state before they develop exploits for a current GrapheneOS and Pixel firmware release. It defends against future exploits.

              The user of the phone that has with important data - must do all efforts to turn off the phone before his return to the police. With one button or gesture of the finger. Any options.

              We provide strong defenses against exploitation combined with getting the device back to Before First Unlock state. Whether or not people manage to reboot to turn it off, GrapheneOS does a great job protecting their data.

              https://discuss.grapheneos.org/d/20401-grapheneos-improvements-to-protection-against-data-extraction-since-2024 is a thread about recent improvements to the defenses.

              https://discuss.grapheneos.org/d/20402-cellebrite-exploits-used-to-target-serbian-student-activist is a thread about a recent example where GrapheneOS blocks all the exploited vulnerabilities for locked devices. It prevents one from being exploited even unlocked and the other 2 would be much harder to exploit due to the generic memory exploitation protections.

              P.S. Support for Pixel 8 and 9 (Physical Dump ( ADB(Rooted) ), File Dump (Android Backup, APK Downgrade), Logical (Apps Data, Phone book, Call logs, SMS etc) ) added to the UFED version 7.72 (release from 2024-10-31).

              You're talking about an extraction tool requiring them to already have the PIN/password. We're talking about their exploit products for law enforcement which do not have the ability to exploit modern GrapheneOS in practice, only iOS and Android. We have access to Cellebrite Premium documentation from January 2025 and can obtain more recent documentation if we ask.

                  GrapheneOS https://discuss.grapheneos.org/d/20401-grapheneos-improvements-to-protection-against-data-extraction-since-2024 is a thread about recent improvements to the defenses.

                  https://discuss.grapheneos.org/d/20402-cellebrite-exploits-used-to-target-serbian-student-activist

                  You are very convincing in your arguments! Today, the Pixel 9 order). I have a question - I used the Honor MAGIC 6 Pro (Quallcom Snapdragon 8 Gen 3, MagicOS 9.0 Android 15, with descret security chip S1, MagicOS-8.0-Security-White-Paper.pdf ) and use processes automation - "Macrodroid" on the phone. I provided this application with all possible access. I write triggers under my phone model:

                  • turning off the phone in 15 seconds when turning off the mobile network (Faraday box);
                  • blocking the phone when stealing a phone from my hands;
                  • Turning off the phone within 10 seconds when connecting the USB cable;
                  • the second factor in the authorization of PIN when unlocking with a finger;
                  • turning off the phone if not unlocked within 1 hour,
                  • turning off the phone after 2sec clicking the volume button up and other safety macros.

                  This is a good set of security addons functions. Therefore, is it possible to use a macrodroid on your OS for extra experiment for me?
                  My profession is an activist ... And every day it can be dangerous for my work. All information in my phone.

                      Alllus I asked Macrodroid to format the phone without unlocking it for a certain period of time, but they didn't agree.

                          troika no any problems. Example trigger actions - Run "settings" applet, Enter search "factory reset", click confirm button...

                          P. S. Its very simple example.. You can make it more complex. For example, add a screen sensor lock, multiple retries, etc.

                            GrapheneOS are you saying, that a pixel 7a with grapheme is less secure than a newer Pixel device? If so, which is the safest device for graphene?

                            • de0u replied to this.

                                If I bought a Pixel 9. I install GraphenOS, install all Google programs (google translate, Play Market, Chrome, Google Drive, Google Photos and others), completely disable the USB port, set an 18-character password and a fingerprint (for convenience), set the device reboot time to 1 hour. I am not interested in anonymizing the phone. What is important to me is counteraction to hardware complexes UFED, GRAYKEY, etc. Will this be enough? Will this be a protection mode similar to the iPhone downlock mode?

                                GrapheneOS Does Windows protect better than Linux? Microsoft has more resources to implement security technology

                                    Finik Depends on what you mean by Linux. It's not nearly as secure as ChromeOS or Android. It's easily more secure than Debian. Some traditional desktop Linux distributions are doing a lot better than Debian. The topic of the thread is forensic data extraction and essentially no traditional desktop OS other than macOS and ChromeOS have any serious defenses against it but ChromeOS is generally on hardware without serious defenses against it. If you're talking about security from data extraction on a laptop, there isn't much more choice than a Mac with macOS as long as you had some kind of locked device auto-reboot set up. Anything else is not able to defend seriously against it while powered up and locked.

                                      4 days later

                                      Here's the Cellebrite Premium 7.73.1 Pixel Support Matrix from February 2025.

                                      Pixel 6-9 with GrapheneOS - the best! No any access to BFU/AFU state