GrapheneOSJul 21, 2024

Here's the Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024.

404media recently published an article based on the same April 2024 docs we received in April and published in May. Many tech news sites including 9to5Mac made incorrect assumptions treating that as current.

Show threadGrapheneOSJul 21, 2024
Here's the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for Pixels. They're still unable to exploit locked GrapheneOS devices unless they're missing patches from 2022. A locked GrapheneOS device also automatically gets back to BFU from AFU after 18h by default.
Show threadGrapheneOSJul 27, 2024
@kkarhan We've made huge improvements to the security of GrapheneOS against these atttacks in 2024. They should be forced to use a different attack vector than USB for locked GrapheneOS devices now such as Wi-Fi, Bluetooth or cellular. It's entirely possible they'll figure out a way to exploit it, but they might not ship it in the Cellebrite Premium tool if it can't be done via USB. We certainly don't think that they can't exploit GrapheneOS, but it'll be a lot harder for them to do it now.
Show threadGrapheneOSJul 27, 2024
@kkarhan We plan to dedicate significant effort to hardening against lockscreen bypasses within the UI. We'll likely disable lockscreen camera access by default at least for fresh installations as part of this, among other things. We could also consider enabling a Wi-Fi and Bluetooth timeout by default, although auto-reboot is a more complete way of dealing with the whole thing.
Show threadGrapheneOSJul 27, 2024

@kkarhan We already have a duress PIN/password feature which wipes the device nearly instantly without requiring a reboot to recovery. It does it when you enter the PIN/passphrase in any place the OS requests it, not just the lockscreen.

It's too easy to enter a fingerprint by accident. We have a 2-factor fingerprint feature in development and you'll be able to enter the duress PIN as the special PIN requested after the fingerprint is accepted before the device is unlocked.

Show threadGrapheneOSJul 27, 2024

@kkarhan Those are insecure devices which are missing many of our security requirements. They're missing what we need to provide protection against exploits Cellebrite and similar companies.

https://grapheneos.org/faq#future-devices

The devices we support do have real dual SIM. eSIM is increasingly the norm and they support either physical SIM + eSIM or dual eSIM. GrapheneOS has perfectly usable eSIM support included.

The devices we support have USB-C digital audio output along with DisplayPort alternate mode.

GrapheneOS Frequently Asked Questions

Answers to frequently asked questions about GrapheneOS.

GrapheneOS
Show threadGrapheneOSJul 27, 2024

@kkarhan There's no point in waiting for us to support devices not meeting even basic security requirements. It's never going to happen. If there was a device missing only a couple minor features we could consider removing them as hard requirements, but we're certainly not going to remove any of the important features.

Both of those phone brands are missing even proper security patches for firmware/drivers which would impact GrapheneOS too. A large portion of that list is missing for them...

Show threadGrapheneOS
@kkarhan You'll need to talk to Fairphone rather than us if you want them to make secure devices. We don't think that's going to happen and it would be a waste of effort. It's more likely that a vendor like Samsung will work with us and make major improvements to security than a tiny vendor without the resources to implement what we require and which clearly doesn't prioritize security meeting our standards.
Jul 27, 2024 at 7:06amWeb