@matthew_d_green

It's strange that this article is presenting leaked Cellebrite documentation about iOS from April 2024 as still being fully applicable in July 2024. Certain iOS and Android updates cause their existing exploits to stop working. That doesn't mean they don't port them to newer versions or develop new exploits. It's several months after April already.

Their article about the leaked info is also very wrong and misunderstands several things including lack of old device support.

@matthew_d_green

This is where the Cellebrite Premium documentation from April 2024 was originally published in May, showing all of the tables instead of selectively choosing them:

https://grapheneos.social/@GrapheneOS/112462756293586146

That shows each table, not only select ones, and properly explains it.

News publications only cared after 404media published an article this week, but their article didn't cover much about what's in it and it's several months later now. Other news sites have done made inaccurate coverage.

@matthew_d_green

What the documentation shows is that in April 2024, Cellebrite had working exploits for nearly all Android and iOS devices but was currently a couple months behind on supporting iOS versions.

It also showed they could not yet bypass secure element throttling on the iPhone 12 or later / Pixel 6 or later but had bypassed it on earlier versions. Pixels added it with the Pixel 2 and iPhones also added it a long time ago, and that didn't hold up against them over the long term.

@matthew_d_green

An interesting part of it is that the iPhone data classes for keeping data at rest while locked don't work since Cellebrite has an exploit for obtaining the lock method as part of an exploiting an AFU device, which they mark as IPR in the table.

It's likely they've partially caught up on iOS version support since April 2024. They may be fully caught up. It's strange to present it as if they would have done absolutely nothing through April, May, June and now part of July.

@matthew_d_green We're talking about 2 different things:

1) iPhone 12 and later / Pixel 6 and later are successfully preventing Cellebrite from brute forcing even a random 6 digit PIN via their secure element, but they've bypassed it by exploiting the secure element on earlier devices

2) The can usually exploit nearly the most recent iOS or Android on nearly any device, either BFU or AFU. They tend to fall behind a few months if vulnerabilities either get patched or the OS just changes a lot.

@matthew_d_green

You should look at Cellebrite's tables from April 2024 and you can estimate what they would have done in the past few months in terms of adding support for newer OS versions. The leaked documentation is from April 2024 for the stable release of Cellebrite Premium, not what they had in development or have shipped since then. It's not up-to-date information. Some of what they use got patched by iOS so they were a bit behind. It's July now, not April, so it's not current info.

@matthew_d_green

You can see they needed to request an in-development version to extract data from this phone which implies that there were changes since April 2024 for Samsung devices and perhaps Android as a whole. They regularly lose capabilities from new devices and OS versions. They're always in the process of updating or replacing exploits. It's not specific to iOS.

@matthew_d_green Cellebrite falling behind a few months doesn't mean data won't be extracted from a device.

They'll catch up and then the device can be exploited. iOS and regular Android don't have a way to get the device from AFU back to BFU automatically.

Additionally, they may figure out a way to bypassing the secure element throttling eventually and then suddenly devices which have been kept around for years can have the lock method brute forced.

Cellebrite also isn't the only option.

@GrapheneOS I’m confused about what you said above: that the recent Secure Element devices prevent them from brute-forcing 6-digit PINs but they’ve bypassed it by exploiting the SEP on older phones.

You don’t mean they can take a recent iPhone and somehow use an older iPhone’s hardware to brute force the more recent phone? Cause that doesn’t make sense to me. Are you just saying that they can’t break it now but maybe they can break it in a few years?

@matthew_d_green @GrapheneOS The latter. They can stick a non-Graphene currently-secure phone on a shelf in a cage with a charger and it'll happily stay AFU for months or years until Cellebrite finds an exploit.

I think the wider point is just "capabilities advance, an April leak will understate current capabilities, and they can 'catch up' on already-seized phones"

@rileywd @matthew_d_green

We've been shown a screenshot of the newer documentation showing they support iOS 17.5.1 and the iPhone 15.

We aren't able to confirm the authenticity of this screenshot yet, but this is what someone shared with us:

https://i.imgur.com/WpuUNGh.png

We'll see if our sources can obtain the newer documentation for us and we'll make a new thread with the updated information.

We'll reply here again when we get the newer documentation from a more reliable source than this.