[deleted] the initial question was answered.

Nobody can give an 100% correct answer on what can be done against pixel in AFU mode. Because it can change right now.

The only 100% correct answer is make sure to always have control of the state the device is in. Use it only in AFU mode when you can make sure you are the one that can change it into BFU.

BFU with 128 bit of random entropy pass isn't possible to decrypt without the password.

  • [deleted]

  • Edited

I would say that every device is as secure as you are willing to make it. And any important information that you don't want to share should be kept in a place no one can find. That may prove difficult in practice, but I always remember old Vikings and how they used to hoard their silver and what was safe yesterday may be easy to find tomorrow...

Hathaway_Noa my friend im hundred percent on what you say about don't rely on titan. This is what i also recommend and do.

Now on the subject of law enforcement. Most of them, even at the federal level, have no idea about infosec. They are specifically trained in groups and most of the tasks are done by external companies. Such as Cellebrite, grayshift, pegasus etc. I also have chats where authorities claim to be able to decrypt signals over the air. Do we want to discuss this also? That's why I've talked about the court case several times. Because that's the only thing that matters. There is a criminal procedure. It must be possible to verify the integrity of the data, otherwise it cannot be used. It must be ensured that the data has not been altered. This is only possible if every step is precisely documented and reproducible. This means that the complete technical process must be verifiable on request. Otherwise, even the dumbest defense lawyer can question the integrity of the data. All this was encrochat and Sky and now anom not possible because the prosecutors have used a simple trick. The source of the data are countries where these disclosure laws do not exist. It is simply said that the investigating authorities and courts that produce the source of the data are trusted to comply with all laws.

As a simple example related to Germany. Here, an investigating judge is not allowed to order a so-called source telecommunication surveillance. Only a criminal court can do that. In Germany, the encro hack would have been legally impossible to implement. The criminal procedure order was deliberately circumvented by them.

After all the defense lawyers in Germany had to watch stunned as their clients were sentenced, they founded an association that has collected everything in German criminal law that is relevant. And according to the current status, Cellebrite must describe such a circumvention in detail in court.

In Holland, the laws are even stricter. In short, the chat with an official there is hot air until it comes to court. Just ask him for a file number. In court he would have to explain how they do it. This is why such vulnerabilities get closed soon as they hit the court. This doesn't apply to all countries. But Germany, Belgium, Netherlands. Belgium has imposed an absolute ban on the use of evidence over encro.

    The ECJ is currently dealing with this very question. Do the raw data in Europe about encro have to be released by the authorities or not. Judges have turned to the ECJ not only clients. With the argumentation that they cannot verify the integrity of the data according to the current state of affairs. For authenticity to be verified requires raw data and obtaining it. Quite simple.

    Nuttso With all due respect but encro and sky chats are regarded as proof in the Dutch courts and a lot of people have already been sentenced for years in prison based upon these encro and sky chats, there is currently a group of lawyers fighting against this as they say and explain like you that the way the Dutch cops got their hands on these chats was illegal and they cant proof the integrity of the data. But regardless of this the Dutch courts on general have been using these chats as valid arguments against suspects. Also I believe the encro and sky hacks are irrelevant to the question of this topic, in Dutch jurisprudence the cops are allowed to keep information hidden even in the court. Especially detailed information regarding hacks and other forensics, until today the encro and sky hacks are classified information in the netherlands and the details are still not released.

    But to go back to bruteforcing, this is something else. The encro and sky hacks had nothing to do with bruteforcing the devices of the 'criminals', the most likely scenario is that the cops have social engineered the people responsible of the Sky and Encro servers, they managed to get into those servers and managed to get their hands on the signing keys of the encro and sky chats, after that they most likely prompted a push auto-update with malicious code (malware) which managed to compromise all the phones connect to the networks of sky and encro. So again, a totally different scenario from bruteforcing a phone. I believe pixel phones are the best out there, but I also believe that a pixel user should use a strong and long password to keep their device safe. Also AFU mode is even more exploitable and someone should always asses that AFU mode is not safe. Auto-reboot is a must!

      Hathaway_Noa With all due respect but encro and sky chats are regarded as proof in the Dutch courts and a lot of people have already been sentenced for years in prison based upon these encro and sky chats

      Never claimed something different. You didn't read what i say why they are capable of doing this.

      Hathaway_Noa Especially detailed information regarding hacks and other forensics, until today the encro and sky hacks are classified information in the netherlands and the details are still not released.

      Exactly this is the point you didn't get. It's not the dutch prosecutors or courts keeping them classified. It's France and eurojust.

      If you are followed by police and they build a case around you and it happens that they arrest you. The court orders to investigate the device. And no they can't keep secret how they succeeded in extraction. If you did the crime in NL. If an NL judge orders the extraction.

      Just ask a lawyer in Netherlands. They can't. I talked about encro and sky because they shipped around this.

      Injection of code into Fastboot and grabbing keys from titan m would need to be proven in court.

      This is the reason why intelligence agencies in countries with such laws are very careful what and who they take to court. They weigh very carefully what they want to see documented and what not.

      Hathaway_Noa The encro and sky hacks had nothing to do with bruteforcing the devices of the 'criminals', the most likely scenario is that the cops have social engineered the people responsible of the Sky and Encro servers, they managed to get into those servers and managed to get their hands on the signing keys of the encro and sky chats, after that they most likely prompted a push auto-update with malicious code (malware) which managed to compromise all the phones connect to

      It's already known how they did it. And no it wasn't any social engineering. Encro was outdated af and vulnerable to hundreds of public known exploits. And sky they compromised the signing keys.

      @Hathaway_Noa It's inappropriate to post these kinds of claim on our forum without evidence. You're also misunderstanding and misrepresenting a vulnerability that's purported to exist in fastboot firmware which does not bypass the Weaver throttling and is only usable to retrieve data that's not at rest. Please don't spread hearsay that has gone through multiple layers of broken telephone as if it's a fact.

      This thread unfortunately contains a lot of misinformation and bad advice. We recommend not following any of the previous advice given in this thread and there are numerous inaccurate claims made here. This thread is not a good source of information about this topic.

      Please read https://grapheneos.org/faq#encryption for a high level explanation of how disk encryption is implemented. Our recommendation is to choose whether or not you want to rely on the secure element throttling (Weaver) and then proceed based on your decision. Since each user profile has separate encryption keys based on their lock method, you can make different choices for different user profiles. Random 6 digit PIN is a baseline where you depend entirely on Weaver for security. Random passphrase can have enough entropy to be secure even without the hardware features. It should have at least around 90 bit entropy to be secure against any attacker. 128 bits is the standard extreme overkill value and is the upper bound on what's reasonable to use.

      Please bear in mind that the passphrase is turned into a key via scrypt key derivation and then further key derivation is done with other inputs including the random Weaver token. The final phase is hardware-bound key derivation. If an attacker can exploit the secure element (exploiting the bootloader does not help), they can bypass the Weaver throttling. If an attacker can extract the key from the SoC, they can perform the final key derivation on a server farm instead of only on the device. They still need to run the key derivation algorithms. Your passphrase is not used as a key but rather is the most important input for deriving the key encryption key used to encrypt a random disk encryption key.

      7 random diceware words or 18 random lowercase letters / numbers are both slightly above 90 bit entropy. If you want to completely avoid depending on hardware, that's the baseline for what you should use. You don't need 128 bits of entropy for a random passphrase to be secure against any attacker, but you may want more than 90 bits. 128 bits is an extreme overkill value used to design encryption algorithms. Part of the reason for using an extreme overkill value is in case there are partial breaks of the algorithms reducing their security, which is not relevant to a random passphrase used as input for key derivation.

      Our official advice will be added to the website and in the future people should link to that.

        It will be deleted. This is an important topic. Need to get this right

        It's definitely not possible what the authorities claimed

        L8437

        Daniel recommends 90 bit = slinging massive kiwi penholder closable wolverine roundish

        I recommended 128 bit = managing stoppable covenant silenced small harness recolor curvature friend veto

        96 bit should be enough

        https://diceware.rempe.us/#eff

        4 days later

        GrapheneOS What about the other way around? A 7 word diceware password for the Owner user profile, and a PIN for secondary user profiles where the apps and data live? This way you have a strong password protecting the boot, but only need to enter it upon boot (assuming that an adversary only gets physical access to the phone when it is turned off).