Before commenting, please keep this thread closely related to GrapheneOS please. It isn't our place to say what happened or what he's being investigated for, it's obviously not public and it's common for LE's to keep that to themselves at this phase.
IksNorTen I'm quite curious to see how GrapheneOS stands up in such high-stakes scenarios. What do you all think this means for our security features?
No changes from us to note. The tools we talk about such as Cellebrite Premium, GrayKey and XRY Pro are the highest-end offerings exclusive to law enforcement and government. Why use tools with less extraction capability for certain people when they can just use the best against anyone they put in the cuffs? They wont be using brand new tooling for certain groups of people, these tools are used on ordinary citizens as well. The only real differences between the base Cellebrite UFED and Cellebrite Premium product is broader device support and extraction range.
It may sound like a hot-take at first but this isn't really a case I would consider "high-stakes". It is unique, sure, but for the stakes to be high, the suspect needs to be a dangerous individual and/or the content on his devices would need to have crucial information regarding the welfare of somebody or useful information about another suspect. I doubt this person is Edward Snowden, being a journalist isn't enough.
We are aware of other forensics options available, such as the companies' advanced access services but they're mostly the same as Premium and the documentation mentions when certain accesses are only available when you contact the company to do it themselves, like Cellebrite. There are ultra high-stakes, last-resort methods like Micro Read but this person absolutely doesn't fall under the criteria to do that with, and has a high chance of total failure because of it's incredible difficulty and technical knowledge. BFU devices with long, secure passphrases aren't covered by Micro Read attacks on their own anyway.
IksNorTen Any thoughts on how we can keep improving to protect users in similar cases?
Be a good citizen and don't break the law. Stay out of trouble, seriously. Seized devices cannot be appropriately protected because they cannot be updated or controlled by the trusted user. The new owner can just choose to keep it for as long as they want and not update it and wait until a potential vulnerability comes. For example, Titan M1 phones unsupported by Google and GrapheneOS appear to have brute force capabilities as mentioned in our Cellebrite docs. While a strong password prevents brute forcing, don't hassle yourself. Don't be cocky. Too many people get a little too confident when they feel they have good security and that leads to their downfall.
...On a serious note, don't keep data you don't want to be seen in possession with. It's not worth being a data hoarder if what you're hoarding may lead you to be targeted for your operation. The delete button is your friend. In intelligence, agents are people who gather information for the agency, not for themselves.
If you have to be in possession of a journalism product then don't be the only person who owns a copy of it, or else you have a single point of failure, You. If you are a journalist reporting on something detrimental you cannot have a single point of failure. You should always keep backups of your data to somewhere, it can be encrypted on a cloud, to someone you trust, and in other local media.
IksNorTen And what do you think of the utility of the duress password feature in this kind of case? Would it help the journalist or would this be worse for him?
Duress password helps, it's designed to be used just before or during a distress event. All data is erased. It would be obvious it was triggered though as it would appear the phone had been factory reset. The purpose of duress password is to use it when the consequences for unauthorised access of the data is worse than what happens if the data is destroyed, and ideally the latter should be miniscule if you had backups.
IksNorTen Yes but you can also be charged with destruction of evidence and face years in jail too?
Overall, people choosing to give/not give credentials up to an authority is up to their own discretion, if he chose to do that then that's his choice. We don't and can't make that decision for other people. Same goes for using the duress PIN, etc. Users should use it when it is most appropriate to them. Assume that if he's done this, clearly he's aware of the consequences.
phone-company In the best case scenario, you get the authorities to enter the Duress Pin themselves
I cannot recommend people to try this, the feature isn't designed to be used on tricking somebody. When devices are seized, they are kept in a lab in a preservative state then examined for it's characteristics so they can be documented for the case. It only takes a slightly experienced person, and in some cases, a complete novice to recognise it's a Pixel with GrapheneOS installed. Moment that's known they're never going to ask you because they know a password can erase the device. If they had been spying on you they could just build a brute force dictionary based on what inputs or hand movements you made while entering your primary credential instead and completely ignore you.
Nothing stops a user on this forum or elsewhere making a little guide or a warning about GrapheneOS devices and how they may appear. It isn't worth the risk.
JollyRancher One of the better options for this is to have a second phone that you know is vulnerable to forensic tools and store your duress password on that with a descriptor like GOS Password.
Same as above, If I was putting myself in the shoes of an experienced investigator I wouldn't trust anything a device owner says about their GrapheneOS device, this file wouldn't confirm anything about it being the password unlike surveillance of the target. A good investigator shouldn't fall for lures or red herrings.
