How vulnerable is a Pixel 9a running Graphene while in AFU mode?

x19382

Would an adversary who seized your device and has forensic tools such as Cellebrite be able to access your data due to the phone being in AFU? Or would they still need to gain the passcode? What would a Pixel running Graphene in AFU mode fare up like compared to a new iPhone in BFU mode?

If your data is unencrypted in AFU mode, what is preventing Cellebrite from extracting your data in AFU? What is protecting your data?

MotherShipton

Settings - Security and Privacy - Exploit Protection - USB C Port

If the option is set to 'Charging only when locked' then the port is sealed as regards data extraction. Then it comes down to the strength of your unlock code as I believe this is the only way in.

pxlkng

MotherShipton Then it comes down to the strength of your unlock code as I believe this is the only way in.

Its not the only way in.
If enabled, Bluetooth, WiFi, NFC, the carrier network and already installed apps could possibly be used as well. Basically everything that makes it possible to send data to the phone in some manner such that the data is processed on it.

USB is the biggest directly exposed attack surface, though, everything else is not nearly as bad.

Be aware that as long as the USB port is not fully disabled by setting it to "Off", an attacker could still theoretically leverage PD protocol vulnerabilities as well, although this is very unlikely.

MotherShipton

Plus you can factor in the auto-reboot function which limits the time your phone could be in the wrong hands before reverting to BFU. Depending on your personal threat model, you could set this to reboot in as little as 10 minutes without a successful unlock.

x19382

pxlkng But would the attacker still require the passcode to get into a locked AFU gOS device? Or are the encryption keys in memory

DeletedUser550

pxlkng

"Its not the only way in."
you're all, possible or theoretical, got any actual...

pxlkng

x19382 Or are the encryption keys in memory

Yes, they have to be, as long as a profile is being used, otherwise the data couldn't be accessed.
If you put a profile at rest, its encryption keys are purged from memory and it effectively goes BFU.
As owner cannot be put at rest, the only way to get Owner BFU is rebooting the device.

x19382

pxlkng So the attacker could get into your gOS device without the passcode as long as it is in AFU mode?

pxlkng

x19382

By exploiting it in some way, yes, possibly. That's why BFU is better/more secure than AFU and why auto-reboot timer exists.

x19382

pxlkng But I mean like general cellebrite, graykey, etc forensic tools. Can they just gain access to your data if it's in AFU mode due to the keys being in memory without having the passcode? I know this is the case with stock androids, wondering if gOS is different.

Eumenia

x19382 But I mean like general cellebrite, graykey, etc forensic tools. Can they just gain access to your data if it's in AFU mode due to the keys being in memory without having the passcode? I know this is the case with stock androids, wondering if gOS is different.

I think it's very hard to actually get access to the keys even if they are in memory.
You can't just send the phone a command like pull_encryption_keys()and then it gives them to you.
And if you take out the RAM while running, the keys are probably getting corrupted.

But I'm not a hardware security guy, so it's only speculation

MotherShipton

There was a post from some weeks ago that showed a leaked Cellebrite memo (?) stating that they were unable to get into an AFU GOS device. I cannot locate the post just now but I think they were able to get into an EOL device no longer receiving updates. A 9a is supported until April 2032 so while it is kept up to date it seems to be safe.

MotherShipton

https://arstechnica.com/gadgets/2025/10/leaker-reveals-which-pixels-are-vulnerable-to-cellebrite-phone-hacking/

The Cellebrite table says that Pixels with GrapheneOS are only accessible when running software from before late 2022—both the Pixel 8 and Pixel 9 were launched after that.

(Note that this is advice from some time ago and I'm just reporting it. I'm not expert and would not seek to suggest that you bet your life on it)