pull down to refresh

Digital forensics company MSAB released an update for their mobile forensics suite XRY Pro last month, claiming they can extract GrapheneOS devices in a very limited capacity.
"Full filesystem extraction of Graphene OS: Finding you have no solution for Graphene, the privacy and security hardened version of Android OS? Fear not, XRY Pro now offers full file system consent-based extractions on Pixel 6 and 7."

Your OS is not at risk.

A consent-based extraction is a term used for extraction scenarios where the individual willingly permits the extraction. While a filesystem extraction could imply exploitation (Logical extraction had only been documented before), there is no suggestion that this affects multiple user profiles (data in other profiles are encrypted with their own separate keys). Likewise, consenting means that this is a useless scenario in an AFU situation or when the device has been automatically rebooted.

Secure setups exist to prevent this already

  • Without consenting to extraction, its not possible. A GrapheneOS user running as normal, or one taking advantage of the security enhancements would not be affected. Not giving away your PIN is enough in this scenario.
  • User profiles are designed to be erased, the data on the profile is encrypted and then the keys are purged permanently from the device, leaving everything that once belonged to that profile unreadable. If you are running a high-security setup, do not do anything inside the Owner profile except to configure settings exclusive to Owner.
  • Filesystem extractions are limited in what they can do and don't account for deleted files.
  • Exploitation of the hardware was not discussed. While MSAB claim to have a brute-force attack for Pixels, they claim to involve exploiting the memory. Owner profiles that were not unlocked once after bootup, or a user profile that has been ended with the End Session button is presumed unaffected as such information would not be in memory. (https://www.msab.com/product/xry-extract/xry-pro/). Use Automatic reboot and disable running multiple sessions in profile settings.
  • For extremely paranoid setups, a 12+ word diceware passphrase would make brute force attacks impossible regardless of exploitation of the hardware.

GrapheneOS is Winning

This changelog indicates the forensics community's traditional exploits for standard Android operating systems and third party operating systems did not work on GrapheneOS due to it's hardening, and they are going to have to develop unique methods. Other operating systems are effected by worse.
GrapheneOS mentions in forensics companies are not show of weaknesses but a show of strength. Other AOSP distributions do not need special or exclusive methods to attempt extractions. GrapheneOS does. They don't need to build exclusive support for the other operating systems as they are just standard Android with different user-facing apps, the lack of Google apps doesn't change the security of the operating system by itself.
The fact that these companies need to spend more time, more resources to try and perform an exploit (that still only works when you ALLOW them to extract the phone) shows GrapheneOS is working and meeting it's objectives
preventing an attacker from exploiting a vulnerability, either by making it impossible, unreliable or at least meaningfully harder to develop -- https://grapheneos.org/features#exploit-protection
A small non-profit open-source project is causing trouble for several giant companies, each with millions of dollars ready to fund teams and research into attacking it. In my opinion this is the best thing to prove GrapheneOS' resilience.

It's only going to get harder as GrapheneOS improves

GrapheneOS' developers are creating a Duress / Erasure PIN, which they claim will be coming around the time they release the Android 14 builds. The Pixel 8 will also support Memory Tagging, which will make memory exploits significantly harder and is something GrapheneOS will try to enhance.
GrapheneOS also want to replace Linux with a hardened microkernel to reduce attack surface and have a virtual machine manager app due to hardware virtualization support on newer devices.
The simplest attack that I can imagine is Google just removes the features that make the Pixel phone viable for this sort of OS. Then what?
reply
This is a very good point, but it won't do anything to impact the security of older Pixels, and presumably some other company will step in to profit from the newly-opened market niche. Hopefully.
reply
I'll encourage all companies, startups, agencies, public and private sector to attack GrapheneOS and that's OK to me...we will learn more about security issues but also the most important thing: we're winning
reply
True heroes.
Marvel bullshit has nothing on the people fighting to preserve our freedoms
reply
Thanks for the writeup. Big fan of GrapheneOS.
reply
my daily driver!
reply