Unsubstantiated claims about Sweden exploiting GrapheneOS with no evidence

phone-company

Hehe in this case the phone code was known by the police and they had extract the whole Data.

locked

argante I did notice Snapchat was on the phone, and the misspelling of WhatsApp (Whatsup) . Although there is no mention of WhatsApp being exploited, we know it was successfully done by The NSO Group with their Pegasus 0-click spyware back in 2019 and there is a more recent exploit from early this year, by Paragon Solution's Graphite Software 👀, also 0-click, that uses WhatsApp as an attack vector. There is a mention of the following path in the report: /data/media/0/pictures/, is this where WhatsApp stores photos unencrypted? Not certain on this, there is no evidence there was a WhatsApp exploit in the report. Someone with more expertise should chime in. As far as preparing the groundwork to hit GOS, in the EU? Maybe, there are already very controversial laws circulating in regards to encryption and privacy there. The U.K has forced Apple to disable ADP (Advanced Data Protection) for iCloud. Apple and WhatsApp (since it might affect them as well) are appealing the ruling. I would not put anything past The EU honestly and anyone building privacy and security tools should surely be watching things closely.

argante

locked I fully agree. And these regulations in the EU are supposed to try to launch in 2026.

JayJay

locked

https://capilano-ics.com/2025/05/21/technical-report-on-paragon-graphite-spyware-and-its-known-exploits/

That is a nasty one.... Specially since they also could listen to some Signal calls made. They didn't mention how it was listened, if tapped room or car but some calls where intercepted too. You might be on track to something here.

I wonder how GrapheneOS would stand against this attack.

de0u

JayJay https://capilano-ics.com/2025/05/21/technical-report-on-paragon-graphite-spyware-and-its-known-exploits/

Thanks for the link.

JayJay I wonder how GrapheneOS would stand against this attack.

Which attack? The "Vectors" section mentions "social engineering". The fact that they have zero-click vectors for some versions of WhatsApp and/or Signal on some platforms does not mean they have any functioning exploits for up-to-date Signal on up-to-date GrapheneOS. Maybe they do... but social engineering works even if they don't.

The report says "Wide Android OS fragmentation means many devices remain vulnerable longer". Well, so far GrapheneOS is pretty much the king of rapidly shipping security fixes. Aside from staying up to date, maybe the next move is to avoid apps based on the frequency of holes...

freesea

Few thoughts on the subject:

1) Since the documents are public, they WILL be vague on PURPOSE - look, its not just bored pensioners or law students who reads them. People who are on the other end in these cases also reads them. Criminals, shady lawyers etc. also extensively look through such documents to see what kind of methods police and prosecution are using. Imho its in prosecution's best interest if the wording remains in a way so that you don't really know if the password was written down somewhere (if all those phones were connected, there literally could be some guy who was ordered to get the phones for his buddies and the criminals simply fucked up because they can't remember a password), whether the suspect told the password, maybe the passcode was literally 1234 or was it some elaborate sting operation or a Hollywood movie style remote access. Similar to any other kind of evidence - police will not publicly disclose how many hours and in what way and with what tools they gathered evidence against somebody, it will probably just say "extensive surveillance" or something like that.

2) for me the weird part was that in some cases they were recording and taking pictures of the screen. If they actually had this sophisticated high-tech tool developed that could remotely attack devices just by knowing IMEI (what was originally posted), why would they need manual extractions and video recording phone screen from another device? Doesn't make sense to me. If they had access to such a powerful tool, you would be seeing noticeable and recording breaking numbers of arrests and prosecutions. Is that happening in Sweden? I think the usual news about Sweden is that the crime and gang problems aren't getting any better...

Imho the answer here is that people should be gravitating to Occam's razor - the police gained access to the phones in one of the many old ways, they just aren't saying it in the documents, to keep it purposely vague so criminals are kept unsure on how police work.

Willeman

I am from sweden myself and a graphene os user so i found this thread very relevant to myself, especially since the HDA law became permanent this april.

This is a recent police investigation where a pixel with graphene os is involved where they in this case could not get any info out of the phone.
https://files.catbox.moe/5h4l3a.pdf

Pg 31 is a report of siezed items where a google pixel is mentioned with nr 2024-5000-BG150076-2
Pg 190 there is a document saying that they have not been able to analyse the phone with number 2024-5000-BG150076-2 (pixel in question)

Unfortunetly the report says nothing about graphene os, but this is local to me and the pixel in question was running graphene that im sure of

As to the case that @DeletedUser335 posted a link to it is a very big drug case with other resources maybe? Still amazes me that they got info out of evry single pixel in that case, read through alot of the document and no or very limited info regarding how they got access to all the info they did.

This to me feels like somthing that needs more digging in to and looking at other similar cases to get a picture of if they really can extract data from any pixel running graphene, but that proabebly isnt the case since they where not able to access the pixel that i posted a link to earlier, anyhow i hope we get some good info about the claims that the swedish police can exploit graphene

Nomood

I think whe need to keep things seperate.. Opening GOS devices in criminal cases in Sweden is for now still not possible on all devices so whe can conclude on that fact that these devices who where opened assuming the ownsers did not gave them the passwords thereself that tthey where or without password weak password or that they somehow got hold on the passwords by observing or other way.. But in Sweden the things been going a bit different lately. There is a bloody war going on between 2 groups of criminals what already results in more then 15 deaths.. Because of the heavy violence the sapo got involved and they are capable of other things then just opening devices. They are a secret service working with mossad and the CIA and they are infecting phones with a self made pegasus kind of trojan... Maybe the description of screen record and so on came by the trojan who records the screen live.. Anyway that was my tought and I think I am pretty close to the truth of the situation!! Does anybody else has a idea what this trojan is capable of??

de0u

Nomood Because of the heavy violence the sapo got involved and they are capable of other things then just opening devices. They are a secret service working with mossad and the CIA and they are infecting phones with a self made pegasus kind of trojan...

I am curious how it is known that a custom program is being used.

Nomood Does anybody else has a idea what this trojan is capable of??

If the Swedish Security Service is very concerned about a specific gang war, and if they did develop a custom trojan to use on the presumably small number of people in those two gangs... would somebody who actually knows what it does post the details in a public forum?

wuseman

Nomood they are infecting phones with a self made pegasus kind of trojan...

Source?

argante

Nomood Does anybody else has a idea what this trojan is capable of??

You ask what WhatsApp is capable of? You give it access to directories, photos, the camera, and the microphone. These types of programs attack the WhatsApp on Pixel 6 and 7, which were mentioned in those documents; they lack, for example, MTE protection. It's the users' fault, because they installed untrusted apps on phones they considered trusted. No amount of security can protect you from stupidity. Saying this is an attack on GrapheneOS is spreading disinformation. No document indicates this.

other8026

argante You ask what WhatsApp is capable of?

I didn't think they were?

argante It's the users' fault, because they installed untrusted apps on phones they considered trusted.

argante No amount of security can protect you from stupidity.

I think you can probably find a nicer way of saying these things. Some people are new to these ideas of improving their privacy and security. They may not know of privacy or security issues with WhatsApp, for example. This doesn't make them stupid. Everybody needs to start somewhere, and when people degrade others who are just starting out, it may just make them scared to ask questions or participate in communities such as ours.

other8026

argante Your post was flagged, so I figured it just made sense to say something. Obviously somebody felt something about the post crossed a line.

argante No amount of security can protect you from stupidity.

argante This isn't saying someone is stupid—and there's a big difference between saying (1) someone is stupid vs (2) someone's behavior being stupid.

argante The first statement is indeed a rude judgment and kills motivation

I read it as the first one, personally.

But like I said earlier, I'm not even sure they were talking about WhatsApp...

DeletedUser299

My p6a at two years old, with a 14 digit pin, the auto reboot set at 30 minutes to BFU, no fingerprint access is to current knowledge impervious to being breached. Nowhere on the planet is there documentary evidence to say otherwise. That is not to say it can't, but nothing has shown me it can, so I will rest assured, that most of this post is speculation at what has happened and been constantly reposted etc, its like Chinese whispers.

longshots

My main concern is that the Swedish Security Service is trolling this post until it reaches 500...

argante

other8026 This doesn't make them stupid.

I don't feel like my comment was rude. Writing:

@argante No amount of security can protect you from stupidity.

This isn't saying someone is stupid—and there's a big difference between saying (1) someone is stupid vs (2) someone's behavior being stupid. The first statement is indeed a rude judgment and kills motivation, but the second one motivates to change behavior and has a positive effect, that is: I'm not stupid, so I do not want my behavior to be stupid either.

@Nomood - do you find my comment offensive? If so, please accept my apologies.

argante

other8026 But like I said earlier, I'm not even sure they were talking about WhatsApp...

Just notice that most of these high-profile phone hacking cases, including political assassinations, often had one thing in common: WhatsApp. And yes, WhatsApp sued NSO, but we still read about WhatsApp time and time again. Signal is open-source, audited, and written in a secure language (libsignal: rust, android app: kotlin) - there's no reason to use or trust WhatsApp.

Blastoidea

As more information becomes available at people’s fingertips, it becomes harder to excuse ignorance.

Toiletterider

Anything connected to the internet can be hacked.
-Edward Snowdén.

Lets not forget that! However, running Graphene at least raises the bar alot, compared to standard pixel or even iphone.

JohnPatrickMason

The Swedish police recently failed to breach a GrapheneOS phone, a court case has revealed a few days ago.

wizoatk

JohnPatrickMason

Link or specific source would be interesting.

« Previous Page