Unsubstantiated claims about Sweden exploiting GrapheneOS with no evidence

GrapheneOS

dc32f0cfe84def651e0e Exactly, they may have recorded the password being entered. It may have been a terrible password and may have been used across all of the devices and other devices. It's entirely possible the password was also used for websites, etc. People commonly reuse passwords.

foxkurdisssh

GrapheneOS
Yes true.
Also, a common way for the police is to check iCloud Keychain if your private phone is a iphone, its very easy to access and also they try all the passwords they can find there because many people often have the same passwords.

Another thing is that they often open the phone and just take the RAM out because the RAM itself is not incrypted, this is very common with iphones i dont know if that works on a GOS.

foxkurdisssh

I see that many people complain that it does not say how, where, when the police entered the GOS in the FUP. What you need to understand is that the police in Sweden do not have to show how they entered, they do not have to report anything, it is enough that they know the contents of the phone and it is enough to say that it was fully extracted, etc.

Swedish police do not have to report anything about how they entered the phones, Swedish police have a lot of legislation on their side, they do not even have to suspect someone of a crime to use attacks and then be inside that person's mobile. In Sweden you can be detained with full isolation for a crime you did not commit for over a year or 2 and then be free in court, this is very common. The police can basically do whatever they want and FRA which is similar to the NSA gives them all the tools they need to the local police. Its crazy.

With that said, Icant confirm or say that any GOS have been exploited.

GrapheneOS

foxkurdisssh Which is why it's completely wrong for people to be claiming that lack of any indication of how they got into devices means they exploited them. There are many people who cooperate with police once faced with that situation. There are also other ways to get the password. It's not clear why people are claiming that these documents indicate exploitation when they do not claim to have done that, do not imply it was done and even have parts which imply it wasn't what they did. If they had OS exploits they wouldn't need to do a lot of what it's indicated they did and OS exploits would not work to get data in several situations presented where it's Before First Unlock with a password. It's largely implied they got the password another way...

foxkurdisssh RAM is not fully encrypted on the supported devices but there's a locked device auto-reboot feature on GrapheneOS kicking in 18 hours after the device is locked by default. GrapheneOS clears freed memory in the kernel including when rebooting or shutting down, which wipes most memory. It also wipes all the free memory when booting the OS. Since April 2024, fastboot mode on Pixels wipes memory on boot before USB is activated. Encrypted RAM would be nice but the SoC can still be tampered with even with encrypted RAM. Encrypted RAM raises the difficulty of that kind of approach to extracting data. It's highly unlikely with GrapheneOS especially for a non-extreme case due to locked device auto-reboot. The passphrase is also not in the memory.

de0u

foxkurdisssh I see that many people complain that it does not say how, where, when the police entered the GOS in the FUP. What you need to understand is that the police in Sweden do not have to show how they entered, they do not have to report anything, it is enough that they know the contents of the phone and it is enough to say that it was fully extracted, etc.

Then no "fully extracted" report counts as evidence that an exploit was used unless somehow there is an explicit statement that an exploit was used.

If any of the proffered police reports does say an exploit was used, it would be great for somebody to say which page of which document.

Otherwise it doesn't matter if there are 500 or 5000 or 50000 police reports that say "fully extracted".

Claimspro

foxkurdisssh

Not true 9/10 times in FUP the police will state what they used to gain access to the phone in the case or the evidence they have used.
For example; It would say cellebrite or HAK or HDA or HÖK have been used on Iphone 11 to gain this and that and after the FUP will show the extracted information.

This statement is also not true:
In Sweden you can be detained with full isolation for a crime you did not commit for over a year or 2 and then be free in court, this is very common. The police can basically do whatever they want.

The person of interest needs to be suspected with evidence to be in isolation.
https://sv.m.wikipedia.org/wiki/Misstankegrad

And if set free due to the evidence not strong enough it is because sweden follows something called,
"Hellre fria än fälla" with other words meaning "rather to set free than sentence someone innocent.

I dont know why people keep claiming the police can do what they want in Sweden. Sweden still sends phones abroad to get help so I dont know where you guys get all this info that FRA and SAPO helps the police.

In the worst year in Swedens criminal history, FRA and SAPO did not step in and help. Stop scaring people and spreading fake rumours. For 2 weeks now GrapheneOS have been a subject among people in Sweden just spreading fake things who started it and where everyone gets the info they have is a mystery.

I know cases high profiled murder cases in Sweden from middle of 2024 and one in 2023 that the police admitted they could not break the encryption and did get no access to the information on the phone.

If the case is that the police had methods to crack the encryption it would be over every newspaper in Sweden like the Swedish police always do celebrate every major thing that could stop the ongoing violence in sweden.
I did send a podcast with forensics in the swedish police who clearly states it all depends on the circumstances if they can gain access. Is it unlocked? Do they have the password? Is there no password? Have the suspect given the password?

Answers no one in sweden can answer but the police. These rumours has to stop.

GrapheneOS

JayJay

I highly doubt it, because if it was they would disable the password and be able to do full extract by switching on all USB. However this was not done, they had to do manual extract.

Why make an assumption about how they would want to extract data where they have the password? They probably wouldn't want to risk having an app wipe the device if they have another way to use it.

Also if it was, there would have been evidence with more upclose photographs, this was not provided as evidence either.

No, that's a bad assumption and doesn't indicate they didn't discover the password somehow.

An exploit has been used here to bypass.

No, that's not substantiated.

Not so long ago there was a simcard switch exploit that bypassed the password.

Only for After First Unlock state devices. You're ignoring the auto-reboot timer, which gets devices back to Before First Unlock state and was 18 hours by default since the 2024-01-13 release.

We know for a fact that such exploits has occurred before

That also required an After First Unlock state device and have been prevented outright as a class of vulnerability able to get data from user profiles since April 2024. You say to assume they were updated past that, so exploiting fastboot mode would only obtain data available Before First Unlock. A device in Before First Unlock state would also need to have the Titan M2 exploited to brute force a password. If it was a strong password, nothing would get the data in user profiles from a Before First Unlock state device. Titan M2 throttling is needed for a random 6 digit PIN or non-strong passphrase. Exploiting that is very difficult.

From 2022 https://www.youtube.com/watch?v=B6q0nJnltsk (simcard switch exploit).

This was an AFU device exploit, not doable after auto-reboot.

While I am not so updated on the CVS between 2024 until 2024-11-21 one cannot fully protect himself. A complex password+auto reboot timer+USB disabled can only protect you until you are being shoulder surfed.

Yes, they can record you entering the password. If you reuse the password, the weakest security machine where it's used can be targeted. It's also entirely possible someone reused it for a website or other service. You don't know how they got it. If it was a strong passphrase and ANY device was Before First Unlock then they wouldn't have been able to get data from that device without having recorded or obtained the password somewhere. Even if it was a mediocre password, it would take substantial resources and time to crack. The claim that they exploited the devices doesn't add up especially since you say at least one was turned off and therefore Before First Unlock. Exploits cannot bypass the disk encryption as multiple of your posts / statements are implying.

To be able to configure timebased complex password would protect you even further however it depends on what you are defending yourself against.

That doesn't make sense. A standard diceware passphrase combined with the device being Before First Unlock prevents getting past the encryption for user profile data. Even a mediocre passphrase would be a huge hassle to get past. You're implying they exploited the Titan M2 to brute force a relatively weak passphrase. That doesn't seem at all likely, contrary to what you're saying.

Or to be able to have some protection against airplane mode toggle, what-a-heck maybe even a configuration airplanemode toggle =autoreboot first. I mean there are of course more protection one can do but it will come at a cost of convenience.

Enabling airplane mode isn't a problem. Disabling it raises attack surface but is expected as part of emergency calls being possible while locked with it on. We've planned to allow disabling that feature for a while, but it would probably break some regulations.

dc32f0cfe84def651e0e

GrapheneOS If you reuse the password, the weakest security machine where it's used can be targeted. It's also entirely possible someone reused it for a website or other service.

Poisoning the well by reusing duress password elsewhere would make sense then. Imagine: lawdogs take your phone, enter an assumed password which turns out a duress one :)

grayway2

GrapheneOS is it possible that GrapheneOS faces pressure from authorities because forced airplane was implemented?

I mean the default airplane mode would still be bypassed through emergency calls but full would require user to change it from settings.

GrapheneOS

dc32f0cfe84def651e0e USB-C port control is also enabled by default and there are other reasons to avoid interacting with the device/OS if they have the password. There can be apps set up to auto-wipe on various conditions. Having the password doesn't mean they would want to simply unlock it via the UI and go through developer options to extract. If they have a lower level way to do it while having the password, they'd probably want to do that to avoid wipe being triggered.

GrapheneOS

matchboxbananasynergy A password protected device in Before First Unlock state (turned off) having all of the data extracted heavily implies that the passwords were obtained from the people rather than this being a bunch of devices which got exploited. Titan M2 exploit could bypass brute force protection but a decent password would still hold up quite well and would be impossible to break if it was a strong one.

GrapheneOS

Byku There's no indication of an exploit of locked devices and in fact it indicates otherwise, contrary to the conclusions in that post.

GrapheneOS

locked A powered off phone with a password having all data extracted in fact largely implies that the password was known. They'd need to brute force or already know it, implying exploiting the Titan M2. Exploiting devices in After First Unlock state wouldn't give them the password. It's heavily implied they got password(s) elsewhere.

That’s not enough to conclude a live exploit was used in 2024.

The actual evidence even indicates otherwise.

GrapheneOS

ryrona

Okay. That just means they did not use any exploits against that one. No exploit can access encrypted data on a BFU device in any way at all other than by inputting the correct passphrase. So they did guess, know or was given the correct passphrase.

Yes, exactly. It shows that it was not based on GrapheneOS exploits for at least that phone, and heavily implies it for the other devices too.

Even if was a very weak password, they would have still had to exploit the Titan M2 to bypass brute force protection. If it was even a mediocre password, it would be very hard to brute force with brute force protection bypassed. We talk about using 6-8 diceware words because it outright prevents brute forcing even with massive compute power, but a much weaker password still provides substantial protection.

You mean USB port was "charging only" or complete off as opposed to "charging only when locked"? If they guessed, know or were given the passphrase, they would just be able to enable USB fully. So this might actually imply the possibility they have a cellular based exploit that kills the lock screen, but isn't able to enter passphrase needed to change security settings.

That would be extraordinarily unlikely. The lockscreen can't be killed like an X11 lockscreen but rather is a mode of the SystemUI. The SIM card exploit from 2022 which we discovered long before the public disclosure involved SystemUI wrongly entering an unlocked UI mode which is now protected against much better. It could still be hardened more, but it's about SystemUI logic. SystemUI crashing or anything like that would not do it. The device would just soft reboot back to the lockscreen

Is there any other possible explanation of why they would have gotten access to the unlocked user interface on a locked phone, but not able to do USB extraction?

If they didn't want to interact with the phone and have a way to extract data based on having the password provided to them without it. However, a whole lot of assumptions are being made about what they did and we don't think it makes sense to theorize based on a bunch of assumptions.

GrapheneOS

JayJay

In these type of reports you can also read the whole police interrogation, the passwords were NOT handed over or it would have been noted in the interrogation otherwise. Also fingerprint was not used.

It's wrong to assume the passwords not being in notes for interrogation means it wasn't turned over. They would have interacted with the police beyond that and there is also the possibility of the password being reused across many devices/services, etc. It may also have been written down, stored on unencrypted storage such as a password manager on a Windows machine, etc. You're assuming something about what happened based on what isn't stated. That's unsubstantiated.

They do not mention in these reports how the access was. However it was not through cellebrite for the Pixels as they usually mention it otherwise.

Not stating something doesn't mean it isn't what was done. We know Cellebrite Premium was only able to exploit GrapheneOS releases from mid 2022. It's possible that changed in the past month or so but we have documentation from 2025 for Cellebrite Premium. If they could exploit releases from 2024 with it, we would know. We also have similar documentation from several other forensic tool vendors and they only appear to be able to extract Before First Unlock data at best, if even that. It's less clear since they don't specifically cover GrapheneOS.

If they had password access they would have made a full extraction and not phone in airplane mode.

Emergency call takes a phone out of airplane mode. A feature for blocking that has been planned for a long time but not implemented yet due to time constraints. We can't implement everything we have planned.

Malmö TR B 11984-24 Aktbil 363-1.pdf

None of this indicates any exploits. In fact, what it shows is that they're likely getting people to hand over their password or getting it another way, followed by performing an extraction if possible or otherwise just recording browsing through the device. Are there even clear indications of exploiting non-GrapheneOS devices? Why is that being assumed when it's not stated?

GrapheneOS

Bimmy

Is there evidence that the cited text is from authentic, official documents?

It has not been verified, but there isn't much reason to doubt the authenticity. The documents do not make any claim that GrapheneOS has been exploited but rather that is entirely the assumption of several people in this thread and elsewhere. Therefore, the documents being authentic or not has little relevance.

What evidence do we have that the events described truly happened? (In contrast to describing partially or wholly fictional events -- maybe as a scare campaign -- as users suspected above.)

If the documents were a scare campaign, they'd probably claim that GrapheneOS had been exploited which they don't appear to claim anywhere.

(If 1 or 2 can't be answered yet, I wonder:) Specifically with the precisely cited numbers for alleged cases, mobile equipment, and even names -- is this consistent with evidence from "outside the bubble"?

There's no indication in the documents of any exploits of GrapheneOS or the Titan M2. Many aspects of it indicate that did not happen. That doesn't mean there aren't exploits of GrapheneOS elsewhere but it does not appear to be happening in these cases. It's not clear why a few people are so convinced it is when the documents do not claim it or even imply it. You can see there are a whole bunch of stated assumptions about supposedly passwords not being handed over due to it not being stated, so they draw the conclusion that the devices are exploits despite it not being stated. It's strange to assume many things didn't happen due to not being stated explicitly but that exploiting the devices did when it's not claimed either. It is confirmation bias.

Bimmy

GrapheneOS It's not clear why a few people are so convinced it is when the documents do not claim it or even imply it. You can see there are a whole bunch of stated assumptions about supposedly passwords not being handed over due to it not being stated, so they draw the conclusion that the devices are exploits despite it not being stated. It's strange to assume many things didn't happen due to not being stated explicitly but that exploiting the devices did when it's not claimed either. It is confirmation bias.

Thank you for the reply.

If you allow me to add my own interpretation and to slightly drift into offtopic philosophy: Our brains have some wonderful attributes -- and imagination can be a fantastic quality -- while, as already implied, being deeply biased by default. Sentential calculus is not our default mode of operation and it has a high cost of chemical energy and experienced effort to invoke and keep consciousness doing that calculus. Its the imperfections of that biology that provoke our rash conclusions.

Getting somewhat back to documents, and the incomplete information we have, it could generally be helpful to call an old saying to mind: That absence of evidence is not evidence of absence (s. https://quoteinvestigator.com/2019/09/17/absence/ ). Our uncertainty and our emotions can make it very hard to infer truthful statements, and it will take continuous effort from all participants to turn the uncertainty we all started with into something more positive.

GrapheneOS

argante

Samsung has been accused in the past of building bugs into its modems

Not credible allegations.

Even now, Samsung is still accused of collaborating with government agencies.

Not credible and hardly relevant.

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

This does not provide control over the OS without OS exploits.

GrapheneOS

Masterlord

Not sure what more people needs?

Actual evidence of exploits. There aren't even statements indicating any exploits of GrapheneOS devices were done in unverified documents. It's not even an indication of it.

They do not need passcode, pin or fingerprint.

No, those are unsubstantiated claims based on confirmation bias.

It is stated in the court documents. My guess (not validated) is they do it remotely and hijack the screen. Thus "manually reviewed".

No evidence of this or claims of it.

This is just ONE case shared in the thread. There are more cases in this country, where they have broken into GrapheneOS.

0 examples of law enforcement even claiming to have exploited GrapheneOS have been provided. It is currently not even a claim that's being made which can be evaluated. It is an assumption several people are making for unclear reasons.

They do not need to disclose the technical aspects of how they got the evidence in court. They do not share this, to keep the exploit effective longer.

There is no claim of the devices being exploited in anything that has been shown/reviewed. We aren't talking about any details of exploitation being provided but rather the fact that it was not even claimed anything was exploited.

GrapheneOS

Masterlord Exploiting the cellular radio does not give access to the OS without OS exploits. Those exploit chains have been demonstrated, but it's significantly harder and GrapheneOS would provide extra protection against it. There's also no evidence indicating they're doing this for GrapheneOS or non-GrapheneOS devices. The claims that are being made don't even hold up for the non-GrapheneOS devices. What people are claiming they must be doing is not backed by statements in these documents or other evidence.

foxkurdisssh

GrapheneOS

Yes, strong password, right settings. You are 99% safe if you are not a terroroist. Gos is the safest mobile you can have in the market right now, also its a big diffrence between the GOS from 2023 to today because of major updates.

HecticHector

Its a shame GrapheneOS get so defensive and abrasive, so much so that I didn't even want to post this, especially without any evidence of my experience. Australia has just passed draconian laws with back dooring phones. Including being able to act as you and post on your social media. Our Gov's online security chief is an American WEF nutter woman.
A few months ago I was using GrapheneOS on Pixel 6 Pro. I am not a criminal, a small business owner protecting clients sensitive data. One glorious day I became surrounded by 30 undercover officers, one of whom was looking at my phone data via his phone in real time. He stated "I'm having a hard time seeing what he's writing" as I was texting someone letting know the situation.
I've skipped a lot of fine details and I won't be providing evidence of my experience. I have made official complaints to LECC Australia, governing agency who investigate police corruption, abuse of power, etc.
With an easy Google search you can find the laws passed here.
I appreciate GrapheneOS team so much for all your efforts. I understand getting defensive, I do to when I get a bad review.
We only want to be safe and not treated like we're all criminals in our houses by our government in Oz. It's become ridiculous here and we need GrapheneOS. It's growing here, people are even starting business' selling preloaded GrapheneOS on new devices. Controversial I know but we need this. And so do GrapheneOS for exposure. Fingers crossed they do righty and donate to Graphene.
Hearing "I'm having a hard time seein" was music to my ears, but they were still seeing something, what? No idea.

locked

HecticHector Fascinating story, 30 undercover officers, real time surveillance, live commentary on your texts... it’s got everything. Tom Clancy, anyone?

If something like that actually happened, especially on ANY device, it would be a landmark case, complete with technical disclosures, forensic reports, and, you know.... evidence.

Until then, We’ll stick to verifiable and reproducible methods, not theatrical anecdotes that leave out details and just happen to support the idea that ANY OS can be magically compromised.

monozygote

HecticHector Its a shame GrapheneOS get so defensive and abrasive

I haven't read all the replies in this thread, so can you point out where in this thread this has been the case? From whatever I've read so far, replies from all accounts marked as being mods have been very reasonable. They have been specifically quoting points being raised and given their p.o.v on the matter.

HecticHector I didn't even want to post this, especially without any evidence of my experience

Posting without evidence could be seen as (1) someone's genuine/honest and simply wants to know more (2) is a troll (3) has an agenda and is either acting independently or employed by an "adversary" ... etc. We don't really know each other, so strictly speaking any of these is equally likely. However it seems most the time folks (including GOS folks) in this forum give the benefit of doubt and assume it's "(1)" and proceed to engage in a meaningful way.

HecticHector He stated "I'm having a hard time seeing what he's writing" as I was texting someone letting know the situation

Assuming all this really happened, a lot of warfare these days is fought on psychological levels. Maybe they said that to plant a doubt in your mind, maybe to unsettle you into making a mistake, maybe this maybe that. Who knows.

HecticHector With an easy Google search

This is not just for your post but there are others who seem to resort to this often. Firstly, if it's so easy, why don't you do it, filter out the relevant content, link and post it here yourself? Wouldn't that help others (who btw have no obligation to respond to you or me or anyone) help you better and quicker?

This is like someone raising an issue on GitHub repo of a large project (or commenting on a PR) claiming "There are several places you have assigned a string to a variable you should have assigned a number to. With an easy eyeballing of source code you should be able to find it out.". That's pretty much a nonsense description waiting to be flagged and closed. Folks would expect you to link to specific parts of the code so that there can be inspection and meaningful discussion.

Bimmy That absence of evidence is not evidence of absence

That's true but I'm not sure what you want ppl to do with it. There's no evidence that unicorns (was gonna say God but that might trigger some folks so keeping it to unicorns) exist and yet no one can claim that they don't exist. However this is not very useful/interesting. Everyone can clam infinite such things and apply that quote - so what do you want people to do, keep looking for (the proverbial) unicorns?

There's merit in theorising and assumptions, but science is driven by evidence (preferably empirical) or a search for it. It doesn't depend on your biases, what you think/thought, whether you "genuinely, 100%" saw aliens, etc etc.

argante

HecticHector Australia is a police state. It competes with the UK in terms of draconian and oppressive solutions. But someone votes for these politicians.

Nuttso

In this entire thread, I've noticed there's quite a bit of misinformation floating around, and I'd like to clarify a few things based on actual experience and factual knowledge. I've personally been dealing extensively with law enforcement and relevant authorities who closely monitor these issues. I'm also involved with a privately established committee under a legal group in Germany that collaborates with organizations like the Chaos Computer Club and German Association of Criminal Defense Lawyers.

One significant shift we're seeing is that law enforcement is moving away from traditional forensic extraction methods. Instead, they're increasingly focusing on exploiting vulnerabilities in systems directly. Why this change? Because when security measures against forensic extraction are implemented correctly and truly understood by users, they become virtually impossible to bypass. On the other hand, attacking the software itself (exploiting drivers, firmware bugs, or other software weaknesses)often provides a much easier pathway.

The claim made here that Swedish authorities can effortlessly extract live Signal messages and screenshots from GrapheneOS devices is very questionable and, frankly, sounds exaggerated. From my direct experience and insight, I can confidently say such feats would require extremely specific conditions and vulnerabilities that, as far as we know, currently aren't present in GrapheneOS.

Additionally, it's worth mentioning that in Germany, an entire governmental authority named ZITiS (Central Office for Information Technology in the Security Sector) has been specifically established to facilitate precisely this kind of infiltration. Similar entities exist in other countries, and these efforts aren't exactly hidden from public view. In fact, there is a clear trend towards changing legislation throughout Europe to explicitly support and enable these kinds of methods in the near future.

« Previous Page Next Page »