a recap on Cellebrite UFED premium and graykey Capabilities on locked devices

Ggrayway2 · 2025-03-16T01:15:47+00:00

Let's talk about the capabilities of these tools on locked android and iOS devices.

I did some research and some informations may be not accurate but here are my conclusions :

AFU iOS : Access to any iPhones even if running latest iOS version
BFU iOS : can perform a brute-force only up to iPhone 11 series thanks to checkm8 exploit (don't know what hardware vulnerability they are exploiting in XR and 11 series)

Android AFU : Google Pixels running stock OS were vulnerable until march or april 2024 security patch update because of vulnerability in fastboot mode, magnet and msab were actively exploiting the vulnerability
Android BFU : starting pixels 6 series, no BF capabilities

Others Android distributions (Samsung, Oppo, Xiaomi ect) all vulnerable in AFU and BFU

GrapheneOS AFU : no known exploit since 2022 vendor security patch update . They can only perform an extraction if user provide the credentials or if device unlocked. However, DE storage space is still accessible without user credentials and can reveal to the examiner installed packages or user file sizes in profiles. It is not a vulnerability but just how AOSP is designed.

GrapheneOS · 2025-03-16T03:01:07+00:00

grayway2

However, DE storage space is still accessible without user credentials and can reveal to the examiner installed packages or user file sizes in profiles.

This still requires exploiting the device to take advantage of it, which Cellebrite is unable to do according to their documentation. Graykey and XRY Pro would have been able to take advantage of it with their approach exploiting fastboot mode instead of the OS. As you said, it's how it's designed to work protecting this the device encrypted data with the Owner user password would be an additional feature requiring a toggle since it would significantly hurt usability and accessibility.

Ggrayway2 · 2025-03-18T19:59:20+00:00

GrapheneOS I still don't understand how Magnet was exploiting Pixels 6-8 through fastboot from 2021-10 to 2024-03 (more than 2 years) without no one reporting it to Google during all that time. At least you reported CVE-2024-29745 couple months before they patches few months later. But it's still terrible that they exploited this during 2 years and 5 months. We waited MSAB to proudly post a video of the exploit on YouTube if I remember to make things change.

If anyone is interested to see Graykey Android and iOS support excel files, I can post them (they are from october 2024)

They can exploit also iPhone 12 series in BFU until iOS 17, probably iOS 18 too now.

Hhorde · 2025-03-18T21:03:00+00:00

grayway2 If anyone is interested to see Graykey Android and iOS support excel files, I can post them (they are from october 2024)

Was reported by 404media

https://docs.google.com/spreadsheets/d/1gf1F8U7VFweBmOc9u10dfvkAWl3KKxZv/edit (Graykey Android)

https://docs.google.com/spreadsheets/d/1qZESd9Zj5HkMZnIjLStSNWEyKvs8Drk5/edit (Graykey iPhone)

final · 2025-03-18T22:40:11+00:00

grayway2 I still don't understand how Magnet was exploiting Pixels 6-8 through fastboot from 2021-10 to 2024-03 (more than 2 years) without no one reporting it to Google during all that time.

Three big reasons:

Government/LE level forensic tools use DRMs with certain unique device setups to protect the exploit code/payloads from being uncovered. That's why you see old Cellebrite kits like Touch2 tablets sold in the wild not get salvaged for exploits, because they shouldn't be stored there.
The average user from the limited customer base for these kits are just forensic investigators trained to navigate the tools, they have little interest or knowledge in the mechanism gained to perform their extractions. They may know it's hacking, but they're not interested in going above what their jobs tell them to do.
Forensic companies use intimidation tactics and NDAs to protect their exploits. One example is that GrayKey users would have to sign NDAs and be instructed to use the device in a strictly confidential environment where you weren't allowed to describe it's appearance and anyone who wasn't authorised were not allowed to see what the device looked like. Learning details like this are irrelevant so it's nothing but an intimidation tactic meant to keep the users of it quiet, plus we know what GrayKey looked like now anyways.

And this is to say they did keep it a total secret... and they absolutely have not. For example, I had seen a Magnet representative brag about Stock OS Pixel capability and "fast" stock OS brute forcing (likely attributable to casues similiar to MSAB's stock OS exploit) on the internet long before the 404Media article. You should assume someone at Google was likely aware of it, they're Google. They just don't act because they have no other details but that, it's too open to find what the vulnerability causing it could be unlike with MSAB.

Police and governments, in many nations, also aren't run by the brightest people. While governments have money to hire highly technical people, many of them do not work for them at all. The best would rather work at a huge company like Apple, start their own, or get fame than work in silence for the state. Many of these organisations are departments historically known to cause infights between each other and at worst cases, deep corruption against other departments or their citizens.

Some don't even practice basic cyber security or cyber awareness. While some agencies may have very tough confidentiality plans like top-class intelligence agencies, the smaller fry like local law enforcement in less technical nations shouldn't really be trusted properly to uphold product information provided by forensic companies.