Here's the Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024.
404media recently published an article based on the same April 2024 docs we received in April and published in May. Many tech news sites including 9to5Mac made incorrect assumptions treating that as current.
So if im correct:
Modern iPhone with latest IOS:
- After first unlock extraction is possible.
- Before first unlock extraction (partially) possible.
- Brute force NOT possible.
Modern Pixel with latest GrapheneOS:
- After first unlock extraction is NOT possible.
- Before first unlock extraction is NOT possible.
- Brute force NOT possible.
Modern Pixel with latest Android:
- After first unlock extraction is possible.
- Before first unlock extraction (partially) possible.
- Brute force NOT possible.
Yes, but they can develop new exploits, so there is more to consider.
GrapheneOS users have auto-reboot enabled by default which gets the device to BFU from AFU automatically, so GrapheneOS users don't have to worry about future AFU exploits for a device obtained by an adversary in the past.
A strong passphrase avoids relying on the iPhone/Pixel brute force protection. It's holding up against Cellebrite right now, but not necessarily against the US government using hardware tampering.
Our upcoming 2-factor fingerprint unlock feature will help our users avoid relying on the secure element. GrapheneOS users will be able to use a strong passphrase for primary unlock and fingerprint+PIN for secondary unlock to avoid the usual drawbacks of biometric unlock. For this purpose, a 4 digit PIN will be fine since there are only 5 overall attempts. We hope it's usable enough that a large portion of our users end up moving to it. This will combine very well with auto-reboot.
@GrapheneOS
Thank you.
I'm now interested to know what happened after the 2022 SPL update.
And do we know which data is (partially) extractable after first unlock on stock Pixel Android and IOS?
Sorry if this is a noob question: Does it make a difference if you manage to wipe the device (remotely) before forensics gets to copy the data or are there tools to retrieve the data anyway?
@trochi @ilias On GrapheneOS, if the device is wiped, all data from storage is immediately not recoverable right after the factory reset starts due to wipe-without-reboot support which was also implemented upstream in Android 14 QPR3 onwards and then later backported as an Android Security Bulletin patch.
GrapheneOS has the standard device admin wipe API and this uses the standard wiping with wipe-without-reboot support.
We also have extra improvements to wipe-without-reboot in GrapheneOS.
@ilias @trochi GrapheneOS has the standard device admin API for wiping the device which can be used to wipe the device remotely. However, it's standard operating procedure to put a phone in a faraday bag.
The device does not have to be in AFU mode to wipe it remotely, a device admin app can support running in BFU via direct boot support. However, why would the device be allowed to be on and connected to the internet for the proposed threat model?
Glossary:
BFU: Before First Unlock exploitation of OS
BF: Brute Force password after BFU exploitation, which requires bypassing secure element brute force protection if implemented
AFU: After First Unlock exploitation of OS
FFS: Full Filesystem Extraction from an unlocked device
After First Unlock
Before First Unlock
Full Filesystem Extraction
Brute Force
Cellebrite appears to be able to get the iOS lock method as part of their AFU exploit and uses that to obtain the small subset of data meant to be kept at rest while locked After First Unlock so they're not differentiating between those iOS data classes because they've defeated the whole purpose of those data classes. Hopefully, Android's upcoming implementation actually works properly. We'll see.
What happens if GraphenOS leads a coalition of AOSP projects in a lawsuit against #Cellebrite (and others) on DMCA 1201 anti-circumvention grounds?
Cellebrite isn't the only company building these kinds of exploits and governments around the world want these capabilities so they're going to get them built. We work on securing against it through technical measures rather than trying to stop it with legal or political action. It's simply not what we do. We'll defend ourselves as an organization and our team members as individuals when they're attacked but this is something we need to address with technical measures.
@GrapheneOS I love how they phrase it as "YES, with a caveat" instead of the more accurate "NO, except for very old versions".
Thanks for the great work. Having learned how cheap Cellebrite is, it is probably a real threat to anyone who is at risk of being hassled by law enforcement.
@GrapheneOS Still I'd not trust on this staying the same forever.
Also #Cellebrite as a #Govware vendor needs to be criminalozed for their #malware alone!
@GrapheneOS consider a "suicide code" that literally if enabled, configured ans entered as lockscreen pin/password will allow users to destroy their device and it's storage content by wiping the headers needed to decrypt the data if not short the battery.
If it didn't require basically engineering an entire new mainboard, I'd suggest to go full asshole on those #Govware machines and literally run a #USBkiller against that #Cellebrite garbage.
@kkarhan We already have a duress PIN/password feature which wipes the device nearly instantly without requiring a reboot to recovery. It does it when you enter the PIN/passphrase in any place the OS requests it, not just the lockscreen.
It's too easy to enter a fingerprint by accident. We have a 2-factor fingerprint feature in development and you'll be able to enter the duress PIN as the special PIN requested after the fingerprint is accepted before the device is unlocked.
@GrapheneOS good.
Now I just need to find a device that you support that isn't a gued-shut & unrepairable mess with real #DualSIM, #MicroSD & #HeadphoneJack...
I really wished you'd support #shift and #Fairphone|s...
@kkarhan Those are insecure devices which are missing many of our security requirements. They're missing what we need to provide protection against exploits Cellebrite and similar companies.
https://grapheneos.org/faq#future-devices
The devices we support do have real dual SIM. eSIM is increasingly the norm and they support either physical SIM + eSIM or dual eSIM. GrapheneOS has perfectly usable eSIM support included.
The devices we support have USB-C digital audio output along with DisplayPort alternate mode.
@kkarhan There's no point in waiting for us to support devices not meeting even basic security requirements. It's never going to happen. If there was a device missing only a couple minor features we could consider removing them as hard requirements, but we're certainly not going to remove any of the important features.
Both of those phone brands are missing even proper security patches for firmware/drivers which would impact GrapheneOS too. A large portion of that list is missing for them...
@GrapheneOS I mean if you have an actual laundry list of points to do then I'm shure they could do it...
@kkarhan There's already a list available at https://grapheneos.org/faq#future-devices which we've linked to you above. Neither company you've brought up appears to prioritize security and it's not a matter of us providing them with a list of requirements. These are nearly all quite standard security features and any company wanting to compete with iPhone and Pixel security would need to implement it.
Pixels are the AOSP reference devices and officially support installing another OS. It doesn't void warranty.
@GrapheneOS then please provide a list of said requirements so that manufacturers could actually comply to them...
Thanks.
@GrapheneOS It's just that I hate #eSIM as I'm used to swap SIMs.
If I want eSIM I can get a reprogrammable eSIM card.
Personally I'd just wosh the folks at #shift and #fairphobe would work with you to get those security issues fixed.
And no, I can't stand #USBc dongles as a matter of principle, because there is no good reason for a phone to not have a #HeadphoneJavk when #Sony even made Smartphones that were #watertight that had them!
> It's just that I hate #eSIM as I'm used to swap SIMs.
You can have a physical SIM and 2 eSIM, with two used at the same time. eSIM is nearly entirely superior and uses a higher quality secure element included in the phone... It is superior from a user perspective and only inferior from a carrier control perspective. Not clear why you don't like it.
> Personally I'd just wosh the folks at #shift and #fairphobe would work with you to get those security issues fixed.
They won't.
It runs in a secure element provided specifically for this purpose instead of putting a secure element from the carrier into your device. The carrier is forced to trust a secure element they don't control. Not all of them are fans of this.
Easy eSIM transfer does exist but isn't universally supported yet. You can always just have a new one issued.
Mainly that they don't control the SIM hardware but rather the secure element in the device has to be trusted by them. A physical SIM and eSIM are both well isolated but in theory they could do something shady with a SIM since it's their hardware.
The attack surface for the OS, etc. is similar either way. However, if they have a piece of hardware you're inserted into your device and carry with you that's placing a somewhat higher level of trust in them regardless.
@GrapheneOS Does this mean an A12-powered iPhone with 17.5 in BFU will yield only what is listed here?
https://cellebrite.com/en/what-can-be-recovered-from-bfu-data-collection/
Do you have info covering 17.6.1?
GrapheneOS
Ilias 🤓
Jan Turowski
alihan_banan
aa
Orca 🌻 | 🎀 | 🪁 | 🏴🏳️⚧️
Paraplegic Racehorse
Hannah
Kevin Karhan 
Exerra 
Apicultor 🐝