pull down to refresh

Cellebrite are a mobile forensics company selling data extraction tools that use exploits to open devices for law enforcement, governments, private investigators, and other organisations. Cellebrite Premium is their product for Law Enforcement and Government clients.
Here's the Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024:
404media recently published an article based on the same April 2024 docs we received in April and published in May. Many tech news sites including 9to5Mac made incorrect assumptions treating that as current.
Here's the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for Pixels. They're still unable to exploit locked GrapheneOS devices unless they're missing patches from 2022. A locked GrapheneOS device also automatically gets back to BFU from AFU after 18h by default.
GrapheneOS is defending against these tools with generic exploit protections rather than by patching specific vulnerabilities. Until recently, it's likely that it was our generic memory corruption exploit mitigations including hardened_malloc which was successfully stopping this.
In February 2024, we added a new feature for disabling the USB-C port at a hardware level. In March 2024, we set the default mode to "Charging-only when locked, except before first unlock". In June 2024, we increased the default security level to "Charging-only when locked".
Later in June 2024, we extended our software-level USB protection, merged it into the newer hardware-level protection feature and extended the hardware-level protection to pogo pins on the Pixel Tablet. There's extremely strong protection against these USB-based attacks now.
Here's the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for overall Android devices. Other than the Titan M2 on the Pixel 6 and later not being successfully yet to bypass brute force protection, it's largely just based on what they've had time to support.
In January 2024, we reported several vulnerabilities being exploited by the XRY tool from MSAB to get data from Android devices including stock OS Pixels. In April 2024, Pixels shipped a reset attack mitigation we proposed preventing the whole attack vector. We plan to expand it.
Currently, non-Pixel devices are still vulnerable to these reset attacks. In June 2024, Android 14 QPR3 included another feature we proposed providing wipe-without-reboot support for the device admin wipe API. We shipped this early and use it in our duress PIN/password feature.
We also began triggering a full compacting garbage collection cycle in system_server and SystemUI when the device is locked based on info about these attacks. This releases memory for no longer allocated objects to the OS, where our generic zero-on-free feature clears all of it.
In the near future, we plan to ship support for adding a PIN as a 2nd factor to fingerprint unlock to enable users to use a strong passphrase combined with PIN+fingerprint secondary unlock for convenience. We have an initial implementation, but it needs more work before shipping.
reply
Its pretty scary that with alot of these tools, devices can be broken into. Not a good sign at all!
reply
35 sats \ 1 reply \ @k00b 21 Jul
All of this was new to me. Glossary:
  • AFU - after first unlock
  • BFU - before first unlock
  • BF - brute force
It looks like the goal is no BF when AFU. Graphene is the only OS that has sufficient defenses?
reply
1012 sats \ 0 replies \ @final OP 21 Jul
Rest of the glossary is here:
  • BFU Yes - BFU Extraction (extraction of data only available in BFU), so list of installed apps (NOT the data of the apps), network configuration and metadata.
  • FFS - Full File System extraction (all current profile user data and privileged data like application data)
  • FBE - File-based Encryption (current Android encryption)
  • FDE - Full Disk Encryption (legacy Android encryption not in use anymore)
  • SPL - Security Patch Level ("up to [date] SPL" means they are only able to do it on that patch level or earlier)
Tools like Cellebrite are designed to either bypass, retrieve, or brute force the device credential to unlock the device and perform data extraction. They exploit the devices they target to do this. Where AFU has FFS support but no Brute Force, it can suggest they have a way to extract data without needing to brute force the device credential.
For example, the Stock OS has FFS extraction for AFU despite not having support for brute forcing the Titan M2 secure element in Pixels, this would imply a stock OS vulnerability of some kind. GrapheneOS cannot be extracted because that exploit doesn't work, and they also cannot brute force the device credential to find a way to unlock. It's the only device / OS combination that hasn't been broken into, excluding ones they haven't had time to target yet like 5th generation iPad Pros.
In cases where Brute Force is available, having a strong passphrase that cannot be bruteforced would make that impossible anyhow.
Unlocked doesn't mean much because that situation involves when you successfully brute force (not possible) or if the target gives away his PIN/password (out of scope).
It's entirely possible a powerful government can extract data from an After First Unlock state device via sending it to a lab where they can get data directly from RAM or tamper with it to get control of the device. Mobile devices don't have encrypted memory yet. Main SoC is much more resistant to tampering than a desktop CPU / motherboard but that's not saying a lot. It's not tamper resistant in the same sense as the secure element.
reply
What does the “available in CAS” mean for the iPhone 15 series?
reply
Available in Cellebrite Advanced Services. It's a service where you pay them to do it for you.
reply
Lockdown mode blocks USB connections while the device is locked. Doesn't that mitigate the AFU issue as if the device is locked, even after first unlock, it won't allow anything to connect to it in the first place?
reply
Cellebrite mentions nothing about Lockdown Mode in their documentation. We believe Lockdown Mode does not matter to them as they have an appendix for caveats on certain extractions and Lockdown Mode is not one of them.
Lockdown Mode reduces attack surface for the browser and Apple services like iMessage or FaceTime. It hardly does anything to secure the base OS, which we think is disappointing. We believe the setting is too strict and should be more configurable, instead they design it with their way of minimising settings. You cant individually toggle hardening like changes for the browser.
reply
0 sats \ 1 reply \ @Zk2u 23 Jul
As far as I know, most cellebrite devices work by plugging in the device. If you enable lockdown mode and your phone is locked even after AFU, iOS will refuse any data connections over USB. They’d have to either exploit something from inside the phone or do a memory extraction which isn’t exactly easy. I don’t think graphene can protect from a memory extraction? I haven’t looked at the latter in much detail
reply
I didn't get a notification to reply to this - I didn't mean to ignore this! I just saw when trying to search recent Cellebrite news on here.
As far as I know, most cellebrite devices work by plugging in the device. If you enable lockdown mode and your phone is locked even after AFU, iOS will refuse any data connections over USB
They can bypass this restriction. Cellebrite do not mention Lockdown Mode in the Premium documentation as it doesn't change anything for them. Users from a law-enforcement forensics chat room we previously monitored also still tell that this is the case (they claim to have special cables that have a payload to bypass that) and that it isn't exclusive to Cellebrite. Potentially Apple could make a fix for this, as they did make an automatic reboot feature recently that pissed the forensic companies off.
People are still leaking chats there saying this is the case like in here: (source)
For bespoke cases, the client would pay Cellebrite to have their expert teams find a way in themselves (called Advanced Services).
They’d have to either exploit something from inside the phone or do a memory extraction which isn’t exactly easy.
It's absolutely possible they could do that but they'd hate to do the former. They're both exploits that would meet the objective but it's apples and oranges.
They like their exploits to have as minimal data footprint as possible because if their extraction methods are modifying the owner's data then it can be used as a defence in court that the evidence is tampered which risks making it inadmissible. For example, Cellebrite have an APK downgrade feature for downgrading apps or OS components to outdated, vulnerable versions on Android to aid extractions. They say it is an absolute last resort when every other method has been exhausted, including attempting physical attacks. They could do it, but remote access a la NSO Group is for a different type of customer than what Cellebrite sells to.
I don’t think graphene can protect from a memory extraction? I haven’t looked at the latter in much detail
Hardened memory allocator in GrapheneOS zeroes memory when it is freed. It protected against a forensic company that exploited the Stock OS by RAM dumping from a bootloader exploit to get a derived hash they could brute force the OS PIN/password with. GrapheneOS recieved bounties and ASBs for reporting it and building a fix for that (post here) but the stock OS still falls behind what GrapheneOS does.
reply
Damn, those employees must be absolute nerds, but impressive nonetheless.
reply
Any solution to escape such tools?
I don't know any.
reply
In current age of information, these tools are for limiting the FREEDOM! Are there any rules for the implementation of these on anyone! Can we say these tools will only be applied on criminals?
reply
These tools/procedures are widely used for other reasons including at border crossings. They get training to use it. Law enforcement also often uses them illegally for unjustified search and seizure targeting those who have done nothing beyond crossing a border or journalism. The people using tools from Cellebrite or competitors are often the ones breaking the law or using them for criminal reasons. Many of the people using these tools are in fact criminals breaking the actual laws of the land.
Even if they say it's only for certain governments and law enforcement clients, it doesn't stop them getting out. There are likely militias in the world using this. If we can get documentation, someone far more powerful could get the software too.
reply
These are scary things! How are these companies even evolving when the concerns over privacy are rapidly growing!
reply
We also began triggering a full compacting garbage collection cycle in system_server and SystemUI when the device is locked based on info about these attacks. This releases memory for no longer allocated objects to the OS, where our generic zero-on-free feature clears all of it
reply
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.