Unsubstantiated claims about Sweden exploiting GrapheneOS with no evidence

GrapheneOS

I totally knew 100% you would remark on this. You are right of course, SELinux can be used as whitelist, that is why I put blacklist in quotation marks. It is just, the isolation is not anywhere as tight as Linux namespaces and similar. That is what I wanted to convey.

That's not true, the isolation is stronger than what's provided by namespaces. Everything that's allowed is explicitly allowed and there's substantially more kernel attack surface reduction.

With Linux sandboxing I meant Linux namespaces and so on. GrapheneOS does not isolate neither view of files and their accesses, nor network interfaces or anything else using Linux namespaces. And we have some security weaknesses (or lack of security functionality as you prefer to call it) because of that.

It provides more isolation than namespaces. Namespaces do not prevent giving access to things. Network namespaces providing a separate loopback interface is the only relevant thing that's not possible to do with SELinux but it could be used to restrict access to it. It is a stronger rather than weaker sandbox compared to a namespace-based one which does not imply not having a shared loopback anyway.

DeletedUser335

I’ve put my work aside for now to contribute what I could find from a quick Google search. I’ll continue gathering more information when I have time. Please understand: I have nothing against GrapheneOS — I use it myself on a Pixel Pro. In my opinion, it’s currently the most secure smartphone OS available.

That said, I want to raise awareness about how Swedish police are actively exploiting not only GrapheneOS, but all mobile operating systems. My goal is to shed light on these topic as no one in Sweden discuss this big and not many outside of Sweden knows about this.

Case Reference – Malmö TR B 11984-24
FUP (investigation protocol, in Swedish):
https://files.catbox.moe/xbr5dk.zip

In this particular case, six Pixel devices (all running GrapheneOS) from six different individuals were accessed by the Swedish police. It’s unclear from the documentation whether access was gained via HDA or through physical extraction tools like Cellebrite.

I’ll be requesting more FUPs (court documents) over the coming days. This takes time, as most links expire quickly — meaning I have to contact the courts.

Relevant sources:

Swedish Government proposition describing HDA:
https://www.regeringen.se/rattsliga-dokument/proposition/2024/11/prop.-20242551

Academic study from the University of Gothenburg discussing HDA, including interviews with four Swedish Police IT personnel:
https://gupea.ub.gu.se/bitstream/handle/2077/78556/gupea_2077_78556_1.pdf?sequence=1&isAllowed=y

It’s very difficult to obtain reliable sources on this topic in Sweden, as it’s rarely discussed publicly. The only concrete way to verify this activity is through FUPs, which I need to manually request from the courts and then upload. These documents indicate that Swedish police are capable of accessing phones remotely — regardless of operating system.

That said, it's important to note that factors like user settings or installed apps may also play a role. For example, nearly all Swedes (over 99%) use the BankID app, which is required for authentication across most digital services. It’s possible that such apps or permissions affect exploitability — but that’s speculation at this point.

What I do know — both from court documents and friends who has been jailed etc — is that Swedish police have used HDA techniques to infiltrate devices across different operating systems.

For instance, I personally had a close friend who had a Pixel 6 running GrapheneOS. According to the police, they successfully installed HDA on his device and were able to see all Signal, Telegram, and other encrypted communications for over a month — eventually leading to his arrest. I plan to request the FUP for that case as well. This was summer 2024. I dont have any info regarding version of his phone as it has been taken by police.

It’s a lot of work to get all the FUP, but if the GrapheneOS developers become aware of how these exploits are being used, and can patch or mitigate them, then all this effort will have been worth it.

userofgos

DeletedUser335 You have made multiple unsubstantiated claims that GrapheneOS is vulnerable and has been compromised without providing factual evidence.

DeletedUser335 According to what I've found, it's technically possible for the police to see all data in real-time, including decrypt signal messages, all activity, and more — even on a GrapheneOS.

DeletedUser335 For example, the police have successfully seen signal messages in many cases —even on running hardened operating systems like GrapheneOS—this has been documented in several publicly available court documents (so-called FUPs, or preliminary investigation protocols)

DeletedUser335 One real-world example is a recent major narcotics investigation where police were able to hack SIX grapheneos pixels. This was only 2 weeks ago.

DeletedUser335 Complety remote, here is a statement from the Swedish prosecutor on a case that had HDA involved also they couldn't find the phone so all the evidence they had was completely by distance:

DeletedUser335 Believe me, I know many cases in Sweden where they have exploited many GraphenOS phones with HDA

DeletedUser335 You will all be surprised on what the Swedish police can do on their IT department, they have been doing this since 2020.

DeletedUser335 Hahahahah, change the that when I send the links. Sorry, next time I will provide all the sources directly.

DeletedUser335 Swedish police are actively exploiting not only GrapheneOS, but all mobile operating systems.

DeletedUser335 In this particular case, six Pixel devices (all running GrapheneOS) from six different individuals were accessed by the Swedish police. It’s unclear from the documentation whether access was gained via HDA or through physical extraction tools like Cellebrite.

DeletedUser335 these documents indicate that Swedish police are capable of accessing phones remotely — regardless of operating system.

DeletedUser335 For instance, I personally had a close friend who had a Pixel 6 running GrapheneOS. According to the police, they successfully installed HDA on his device

It seems likely to me that @GrapheneOS is correct in saying that:

GrapheneOS The claims being made by @tjackvatten have also massively shifted from the original posts to what they are claiming now. Take a look at the first 3 posts and compare that to what they're claiming now. Take a look through the discussion and you'll see repeated requests for proof. The claims being made are not consistent and have becoming increasingly extreme. To us, this looks a lot like someone talking an LLM into telling them what they want to here and believing what it says even though all they do is generate believable nonsense appealing to the person talking to them. LLMs are an extreme form of people reading a very narrow set of unreliable sources catering to what they want to hear.

userofgos

DeletedUser335 Academic study from the University of Gothenburg discussing HDA, including interviews with four Swedish Police IT personnel:
https://gupea.ub.gu.se/bitstream/handle/2077/78556/gupea_2077_78556_1.pdf?sequence=1&isAllowed=y

I deeply question the credibility of @DeletedUser335. The following link referenced here has zero relation to anything discussed in this thread and is in fact a research paper on Glucocorticoid-induced adrenal
insufficiency. Is this a joke?

The closest thing I can find relating to Secret Data Reading from the Gothenburg University Library is a thesis on Secret Data Reading Opportunities and restrictions for the Police Authority source:https://gupea.ub.gu.se/handle/2077/67316

DeletedUser335 Swedish Government proposition describing HDA:
https://www.regeringen.se/rattsliga-dokument/proposition/2024/11/prop.-20242551

This link only proves that the Swedish Government is taking more extensive measures to make Secret Data Reading (also called HDA) more pervasive.

de0u

DeletedUser335
Case Reference – Malmö TR B 11984-24
FUP (investigation protocol, in Swedish):
https://files.catbox.moe/xbr5dk.zip

I don't read Swedish (at all).

That ZIP file contains a bunch of long PDFs in Swedish. I picked one, "Malmö TR B 11984-24 Aktbil 363-1.pdf", searched for "GrapheneOS", and fed several pieces of what I found into Google Translate.

Here is one piece, from page 1219:

Undersökning av bilder

Båda bilderna var sparade under sökvägen /data/media/0/pictures/ i mobiltelefonen. Vilket är sökvägen för mobiltelefoner med GrapheneOS som bland annat applikationen Signal använder för att lagra bilder som sparas från applikationen till mobiltelefoners album.

Båda bilderna följer den namnstandard som bilder som är tagna eller sparade från en konversation med Signal för GrapheneOS har. Namnstandarden som Signal för GrapheneOS använder är signal-DATUM-TID.jpg. I Signal kan man ta bilder direkt via applikationen och sedan skicka till mottagare. Det går även att spara ner bilder till mobiltelefonens album innan de skickas. Om bilder sparas ner till mobiltelefonens album innan de skickas
så sätts datum och tid i filnamnet till tidpunkten då bilden sparas ner.

Om en bild istället sparas ner till mobiltelefonens album från en konversation i Signal där bilden redan har skickats, oavsett om det är en mottagen bild eller en skickad bild så kommer datum och tid i namnet på bilden sättas till det datum och den tid då bilden skickades i konversationen, även om bilden sparas vid ett senare tillfälle.

According to Google Translate:

Examination of images

Both images were saved under the path /data/media/0/pictures/ in the mobile phone. Which is the path for mobile phones with GrapheneOS that among others the Signal application uses to store images saved from the application to the mobile phone's album.

Both images follow the naming standard that images taken or saved from a conversation with Signal for GrapheneOS have. The naming standard that Signal for GrapheneOS uses is signal-DATE-TIME.jpg.

In Signal, you can take images directly via the application and then send them to the recipient. It is also possible to save images to the mobile phone's album before they are sent. If images are saved to the mobile phone's album before they are sent, the date and time in the file name are set to the time the image is saved.

If a picture is instead saved to the mobile phone's album from a conversation in Signal where the picture has already been sent, regardless of whether it is a received picture or a sent picture, the date and time in the picture name will be set to the date and time when the picture was sent in the conversation, even if the picture is saved at a later time.

I'm not going to slog through a long document in Swedish to see whether or not it says how the investigators got into that particular phone's "Pictures" directory, but for all I know at this point it was by shoulder-surfing a PIN.

Personally I think it's high time for the two posters making dramatic claims in this thread to stop making new claims and provide solid evidence for (at least) one pre-existing claim. Let's have:

a specific claim that has already appeared in this thread,
a case number,
a police document matching that case number,
specific page numbers in that document matching the claim

ryrona

locked If the Swedish authorities truly had a way to remotely and silently exploit GrapheneOS, they would use it quietly and surgically, not discuss it in public or reveal it in court.

Actually, if there is a tool being used, the ones who have used it and then present evidence in court extracted using that tool may very well tell they used the tool.

They are investigators, not the developers nor owners of the tool. They will of course not tell any details about how the tool works, partially because they don't know that themselves, but information such as "accessing phone using tool X by IMEI number" might very well be in a court report.

DeletedUser335 That said, it's important to note that factors like user settings or installed apps may also play a role. For example, nearly all Swedes (over 99%) use the BankID app, which is required for authentication across most digital services. It’s possible that such apps or permissions affect exploitability — but that’s speculation at this point.

If the attack vector was a government provided app such as BankID, they would need your social security number for exploitation, not your IMEI number. Also, if they planted exploit code in their apps, that would seriously erode trust in those apps among citizens once discovered, which is highly undesirable for the authorities, as it will badly harm the economics and general trust in law enforcement agencies and by extension the law itself. So that is not very likely.

DeletedUser335 Case Reference

I will look through the files you uploaded later today. I am Swede and read Swedish fluently and have as an activist experience in reading legal documents and court reports. I am fairly confident I will be able to tell if there is something to worry about here or not.

GrapheneOS

@DeletedUser335 You've provided no evidence for the claims you've made about GrapheneOS. We've searched ourselves and found forums where you appear to be using other accounts to post unsubstantiated similar claims about GrapheneOS. You have not provided evidence of a single example of GrapheneOS being exploited.

In this particular case, six Pixel devices (all running GrapheneOS) from six different individuals were accessed by the Swedish police. It’s unclear from the documentation whether access was gained via HDA or through physical extraction tools like Cellebrite.

You've provided zero evidence of anything being exploited rather than consent-based data extraction being performed. Cellebrite's capabilities are known to us since we have access to their recent documentation. We occasionally get similar info for Graykey and XRY Pro.

For instance, I personally had a close friend who had a Pixel 6 running GrapheneOS. According to the police, they successfully installed HDA on his device and were able to see all Signal, Telegram, and other encrypted communications for over a month — eventually leading to his arrest. I plan to request the FUP for that case as well. This was summer 2024. I dont have any info regarding version of his phone as it has been taken by police.

Once again, the claims you're making are becoming far more extraordinary over time than what you started with asking and talking about. You aren't being at all consistent. You're claiming something extraordinary with no evidence after making other similar claims. These claims appear to be false. We don't know what your motivation is for doing it, but you appear to be doing it across multiple sites.

It’s a lot of work to get all the FUP, but if the GrapheneOS developers become aware of how these exploits are being used, and can patch or mitigate them, then all this effort will have been worth it.

It does not appear there are any exploits of vulnerabilities for us to patch or mitigate here.

DeletedUser335

GrapheneOS

Maybe I am wrong but thanks for clarifcation. I have asking around not claiming.

DeletedUser335

GrapheneOS

I want to clarify that I have not claimed anywhere that GrapheneOS itself is vulnerable or compromised I have only asked if this is the case. I have been asking questions about how the police gain access to phones trough HDA as I have read in other forums that the Swedish police can get inside trough HDA — There’s a big difference between raising questions and making accusations. I have been very clear that MYSELF use a graphenos and would also recommend other to do. I have asked about this issue in two forums? One Swedish and this one? Idk what you mean?

GrapheneOS

userofgos A lot of what they've posted looks like someone copying or paraphrasing what an LLM is claiming after they've coached it to tell them what they want to hear.

userofgos

Motionsickness Dear god I don't know how to quote properly.

haha I find it hard to quote properly on mobile, desktop is simple and the UI/UX is better.

Motionsickness As much as posters here want to suggest that some posters are LLMs

I'm guessing the quote below is what you were referring to

de0u Here is a piece about a recent situation where university researchers deliberately violated the terms of a Reddit group by injecting LLM participants: Unauthorized Experiment on CMV Involving AI-generated Comments; here is a post by the Reddit moderators: https://www.reddit.com/r/changemyview/comments/1k8b2hj/meta_unauthorized_experiment_on_cmv_involving/

Because there are ethical ways to experiment on LLMs interacting with people, anybody running unethical experiments (such as by deploying LLMs on forums with explicit rules against that) is behaving unethically. It's that simple.

This so called experiment was definitely eye opening to me about the potential impact LLM's can have on public thought and discourse. Whether it be directly as in this experiment via the LLM's themselves actually posting/commenting; or indirectly via individuals prompting/conversing with LLM's and then regurgitating the output into public forums.

Back to the reason why this is relevant ⤵️

GrapheneOS A lot of what they've posted looks like someone copying or paraphrasing what an LLM is claiming after they've coached it to tell them what they want to hear.

And we have yet to hear a response from @DeletedUser335 and @AltruisticMidget with the following information about their original (and unsubstantiated) claims.

de0u provide a proper citation, meaning:
a specific claim that has already appeared in this thread,
a case number,
a police document matching that case number,
specific page numbers in that document matching the claim

That said, LLMs frequently struggle to provide proper citations, so an ongoing absence on that front might be suggestive.

de0u

Here is a piece about a recent situation where university researchers deliberately violated the terms of a Reddit group by injecting LLM participants: Unauthorized Experiment on CMV Involving AI-generated Comments; here is a post by the Reddit moderators: https://www.reddit.com/r/changemyview/comments/1k8b2hj/meta_unauthorized_experiment_on_cmv_involving/

Because there are ethical ways to experiment on LLMs interacting with people, anybody running unethical experiments (such as by deploying LLMs on forums with explicit rules against that) is behaving unethically. It's that simple.

userofgos

de0u Here is a piece about a recent situation where university researchers deliberately violated the terms of a Reddit group by injecting LLM participants: Unauthorized Experiment on CMV Involving AI-generated Comments; here is a post by the Reddit moderators: https://www.reddit.com/r/changemyview/comments/1k8b2hj/meta_unauthorized_experiment_on_cmv_involving/

Because there are ethical ways to experiment on LLMs interacting with people, anybody running unethical experiments (such as by deploying LLMs on forums with explicit rules against that) is behaving unethically. It's that simple.

de0u This is diabolical. I surely hope this isn't the case with this thread...but I'm beginning to see some similarities.

AltruisticMidget

de0u I'm not going to slog through a long document in Swedish to see whether or not it says how the investigators got into that particular phone's "Pictures" directory, but for all I know at this point it was by shoulder-surfing a PIN.

HDA, remotely. Read the complete FUP before speaking.

Personally I think it's high time for the two posters making dramatic claims in this thread to stop making new claims and provide solid evidence for (at least) one pre-existing claim. Let's have:
a specific claim that has already appeared in this thread,
a case number,
a police document matching that case number,
specific page numbers in that document matching the claim

You got the case files from Tjackvatten. Read them?

Claimspro

de0u if you can post them in another format I will take my time to read them today. Cant accses zip.

de0u

AltruisticMidget You got the case files from Tjackvatten.

There are some files, one of which appears to be a case file. That one appears to contain the string "GrapheneOS" some times.

Read them?

That's not how citing a source works. It is not reasonable for you to expect even people who do read Swedish to sift through multiple documents of hundreds or thousands of pages in search of evidence for specific dramatic claims just because you are unwilling to provide page numbers that would support a specific claim.

That is even more true given somewhat plausible indications that what is being posted here is LLM output including hallucinations.

Let's have a solid citation.

dhhdjbd

always the same with these.
the evidence is at the same time easily avaible and accessible for everyone

yet also somehow is anyone unable to just show any specific evidence

(and providing random mountains of pdfs is not providing evidence, just some strategy to appear credible or convincing, without providing anything reall)

Xtreix

My verdict : No, Sweden doesn't exploiting GrapheneOS on supported Pixel devices, thank you and goodbye.

locked

If the Swedish authorities truly had a way to remotely and silently exploit GrapheneOS, they would use it quietly and surgically, not discuss it in public or reveal it in court. The more likely explanation for these claims is a combination of misinterpretation, speculation, and possibly psychological deterrence. GrapheneOS is not unbreakable, but actual proof of compromise requires detailed, technical, and verifiable evidence, not rumors or indirect quotes from legal documents.

locked

ryrona Sure, courts might reference that a tool was used or mention terms like HDA, and investigators aren’t expected to explain the tool’s internals. But the issue here is not whether tools exists, rather, whether those tools have demonstrably exploited GrapheneOS remotely, silently, and reliably on updated devices.

So far, no court document publicly cited shows:

The method of entry,

The version of GrapheneOS used,

Or whether any zero-day or endpoint exploit was involved.

Simply mentioning that evidence came from HDA or was retrieved via an IMEI identifier does not prove that a modern GrapheneOS install was compromised. That would require technical forensics, not just procedural legal language.

If that kind of tool is being used consistently against GrapheneOS and disclosed in Swedish court docs, it’s surprising that none of the actual exploit details have surfaced, nor have any researchers verified it.

Until that happens, it’s not wrong to remain skeptical and ask for verifiable, technical evidence, not general implications.

de0u

Xtreix It would probably be best to close this thread [...]

I expect input from ryrona when available will be of high quality.

And in theory the team of @DeletedUser335 and @AltruisticMidget might still provide a proper citation, meaning:

a specific claim that has already appeared in this thread,
a case number,
a police document matching that case number,
specific page numbers in that document matching the claim

That said, LLMs frequently struggle to provide proper citations, so an ongoing absence on that front might be suggestive.

ThrivingRelease

Those claims by Swedish police sound like some kind of psychological pressure, "we can access everything you do on your smartphone, so don't you dare to even try to do anything illegal".

grayway2

I don't think that Sweden have the capabilities to remotely exploit an up to date GrapheneOS Pixel.

IPhones were an interesting target for firm like Pegasus because of the user base. Most of the celebrities, journalists or politicians use an iPhone which means more exploitations and finally more cash inflow.

But how about GrapheneOS ? The user base is like x1000 less important and to make profits the company who'll develop exploits for GrapheneOS will have to sell them at higher prices.

Will Sweden pay millions to exploit a GrapheneOS Pixel ? Maybe but only If the target is extremely valuable.

AltruisticMidget

grayway2

They dont pay a dime to use it. Swedish tax payers do. The tools are developed by FRA.

Sweden is a different country in many ways. I'm glad to live in Norway.

It is like NSA would provide tools to local police in US!

grayway2

AltruisticMidget Right but FRA budget is not equivalent to NSA so spending millions on one target needs few approvals.

Claimspro

locked

Its common in cases in sweden where crimes happens, that the persons normal Iphone has HDA and takes a picture of his Pixel with grapheneos to send pictures of his contact information to people who need to add him and in that way they have proof that a specific pixel phone has been using grapheneos with signal.

This I have seen multiple times.

Confirming in that court/case that HDA has been used if its been used on the Pixel in the FUP it clearly says that its been used on that phone, since there are sections that provides info on what was used on what phone.

« Previous Page Next Page »