• [deleted]

@Hathaway_Noa
Recently MSAB sold XRY Pro, which allows access to smartphones with very high security protection.
Specifically, it allows users to access Galaxy S21, S22 and Pixel 6, 7 without knowing their passwords.
(Not sure if this is a brute force attack in BFU state or immediate access in AFU state.)
https://www.msab.com/ja/product/xry-extract/xry-pro/
Now to the main question, do you know if XRY Pro can password crack GrapheneOS?
Also I would like to know about what is Ram Brute Forcing Exploit.
Thank you all in advance.

  • de0u replied to this.

    XRY claim on a different page to support full filesystem extractions (extracting all allocated space) on GrapheneOS, however they state it's consent-based, meaning the device owner needs to surrender the device and allow them to perform the extraction. There is a possible suggestion in exploitation being involved, however needing to unlock your phone for the extractor to allow this exploit to happen is probably not something a GrapheneOS user would do.

    https://www.msab.com/updates/now-out-xry-10-6-1-release-support-for-ios-17-beta-wider-device-range-and-multiple-app-enhancements/

    XRY are the biggest industry player against targeting Pixels from what I can gather, but it appears they have limitations with GrapheneOS in comparison to stock.

    This may sound extremely alarming at a first impression, as they are the only major digital forensics company to mention GrapheneOS capabilities in public documentation. The capability to do a filesystem extraction is interesting, considering that usually involves some kind of exploitation as it's a level above logical extraction. However, the big picture still stands that they need some sort of consent from the suspect to give away their device to the investigator to let them unlock it.

    These exploits are possibly, but in no way of confirming, an AFU exploit as most cases of using memory to facilitate a forensic extraction would obtaining encryption artefacts from the memory and brute-forcing with those encryption artefacts. Methods like this also would bypass hardware security modules as they are in the memory and not the Titan M/M2 security module.

    You would need to have unlocked the device once for sensitive information like that to be in memory. These types of extraction methods are also commonplace on desktop, such as Passware to decrypt BitLocker and VeraCrypt encrypted volumes.

    Please see: One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption

    Since "RAM Brute Force Exploit" four words are the only description you have, it could mean something entirely different to what I just described. More speculation.

    If you have a strong passphrase (or even better: use a 10-word diceware passphrase which is impossible to brute force even without throttle), and compartmentalize between different user profiles, this would make extraction increasingly difficult. Using newer Pixel hardware is also better as newer releases have improved hardware security all-around, such as planned Memory Tagging security features in future Pixel builds.

    Even if you do all of this, if a device is seized then it is being left contained without being able to update or patch security issues. Threat actors would be able to have all of the time in the world to attempt breaking into the device because nothing can be done to patch or fix future security issues once it is in their hands. If your device is lost there is a likelihood that such a scenario is inevitable. The only truly hard-to-defeat systems are software/hardware designed to be anti-forensic/amnestic like Disposable VMs, TAILS or Windows Sandboxes, but both still have some artefacts that could be taken advantage of. These environments work better as performing extractions on them would provide limited results in case of the inevitability that they are able to perform an extraction