Sacrifice a GrapheneOS pixel 6 security for research

grayway2

So, my goal is to understand what data can be recovered from an Android Pixel 6 running GrapheneOS (Android version 15)

The software used will be UFED 4PC for extraction and Physical analyzer for examination both from Cellebrite.

I will try to create as much as data as possible. SMS, MMS, Contacts, Signal and WhatsApp conversations, Photos, Videos, Notes, location data ect.

The device will not be factory reset. The data will be deleted overtime manually.

Bootloader will be unlocked from the beginning. Bootloader unlocked is necessary to install root. Root is necessary for Physical extraction. Physical extraction is the way to create a full dump of the device flash storage.

The device will be unlocked (no passcode) prior to extraction

Getting root is also possible through vulnerabilities so a Company like Cellebrite don't necessary need to unlock the bootloader and could use a CVE to perform Root.

Are you people interested in such project ?

I have already conduct extraction and examination of 2 old phones and was surprised to see that properly factory reset the phone was sufficient to destroy nearly all the data despite data not being encrypted.

userofgos

grayway2 Getting root is also possible through vulnerabilities so a Company like Cellebrite don't necessary need to unlock the bootloader and could use a CVE to perform Root.

This is quite a serious claim, what evidence is there to support this? Specifically for currently supported and secure Pixel 6+ devices running GOS that are not succeptable to Cellebrite BFU extraction.

To my limited knowledge, the only way to get root on GOS is by unlocking the bootloader (which erases all data right?). Also, I thought it wasn't possible for any device over Android KitKat to root without losing all your data?

Again I could be wrong, and am welcome to correction and direction to credible sources. There's just been a lot of misinformation lately about vulnerabilities and LEA's (in)ability to access currently supported Pixel devices running GOS.

raccoondad

grayway2 Just to wonder, how do you plan to extract data from the encrypted device partition?

grayway2

userofgos You can also use a vulnerability from bootloader to perform a dump of the memory.

I'm not saying that they found a solution to root GrapheneOS devices without unlocking the bootloader but I believe they are exploiting CVE to do it on many others recent devices.

Even If they find, they still need to bypass the secure element throttling and brute force the user password because dumping the entire device SSD is a waist of time without unlocking it first if it has a secure element.

Now, my purpose is to perform a physical extraction for educational purposes. I believe it's interesting to understand what they can recover if tomorrow they have a solution to perform a full dump on an unlocked GrapheneOS Pixel.

userofgos

grayway2 I'm not saying that they found a solution to root GrapheneOS devices without unlocking the bootloader but I believe they are exploiting CVE to do it on many others recent devices.

I appreciate the clarification :)

grayway2 Now, my purpose is to perform a physical extraction for educational purposes. I believe it's interesting to understand what they can recover if tomorrow they have a solution to perform a full dump on an unlocked GrapheneOS Pixel.

I'm intrigued as well, looking forward to your findings.

Kaves

First if all, Do you plan to root the device via a patched boot image, Magisk, or exploit-based CVE? Also, for apps like Signal and WhatsApp, do you plan to test recovery under both logged-in and logged-out (or uninstalled) states?

As I understand, GrapheneOS restricts direct access to /data/data even for rooted users without bypassing exec() or SELinux. Will you test UFED’s ability to parse content from encrypted partitions or protected app directories.

And last, How will you differentiate between truly unrecoverable data vs. data not processed due to tool limitations?

I've been using Graphene OS for some time and I want to know what layer of protection we have in a real case scenario if someone gains physical access to the device, thanks for starting this topic and good luck with your research!

grayway2

Kaves Only with a patched boot file. Pixels running GrapheneOS are the strongest targets for forensics so my guess is that if there is unknown exploits available they are only available with Cellebrite Premium.

For WhatsApp or Signal, I plan to test only logged-in as most user will not have the app uninstalled once installed.

To get the best results, I will also use Axiom and Oxygen. I will test UFED ability to parse content from encrypted partitions and protected app directories.

My fear is that unallocated space will give me only encrypted files that I will not be able to decode but a File System Extraction will retrieve most of the hidden system files and get access to cached data.

final

I don't want to spoil the fun, but I already did this with a Pixel 6 (including newer ones) and my copy of UFED 4PC a while ago.

If you have full filesystem access either through exploitation or the OS being rooted, then they obviously have access the full filesystem, just as before. They can get WhatsApp, Signal and all the other apps' data. A physical extraction isn't useful because all data is encrypted by default, so extracting all the unallocated space in addition to the full filesystem would be a waste of time since there is nothing to recover there. In FBE each file has its own keys.

Cellebrite Premium is known to have FFS for unlocked GrapheneOS devices. They have for years, but they can't do any locked device extractions or exploitation of it. It's almost certain it's to do with exploitation of ADB attack surface. It isn't a useful hole for us to close as they'd still be able to open apps, change settings and browse without it, but it would be nice to understand how Cellebrite Premium's FFS is being performed.

As for caching, I confirm caches of deleted files could exist if the caches are not erased. It's conditional on what apps you use and how they deal with cache management. Use the "Clear cache" function in the Settings app for the apps and it will clear it out.

Certain data types configurable in the UFED selection screen can be turned on, but won't do much, like locations. This is because of lack of Play Services, Google Maps apps etc. It is still possible to get some locations by using cached geofence data of nearby networks (WiFi, cellular) - most of what would be cached are the locations at point of seizure though, or places the party would likely know where their target is already, like their home address.

The only things forensics tools do not cover are other data at rest e.g. Profiles. They would be able to know the apps installed on other profiles, but not their data.