Cellebrite are a mobile forensics company selling data extraction tools that use exploits to open devices for law enforcement, governments, private investigators, and other organisations. Cellebrite Premium is their product for Law Enforcement and Government clients.
Here's the Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024:
404media recently published an article based on the same April 2024 docs we received in April and published in May. Many tech news sites including 9to5Mac made incorrect assumptions treating that as current.
Here's the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for Pixels. They're still unable to exploit locked GrapheneOS devices unless they're missing patches from 2022. A locked GrapheneOS device also automatically gets back to BFU from AFU after 18h by default.
GrapheneOS is defending against these tools with generic exploit protections rather than by patching specific vulnerabilities. Until recently, it's likely that it was our generic memory corruption exploit mitigations including hardened_malloc which was successfully stopping this.
In February 2024, we added a new feature for disabling the USB-C port at a hardware level. In March 2024, we set the default mode to "Charging-only when locked, except before first unlock". In June 2024, we increased the default security level to "Charging-only when locked".
Later in June 2024, we extended our software-level USB protection, merged it into the newer hardware-level protection feature and extended the hardware-level protection to pogo pins on the Pixel Tablet. There's extremely strong protection against these USB-based attacks now.
Here's the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for overall Android devices. Other than the Titan M2 on the Pixel 6 and later not being successfully yet to bypass brute force protection, it's largely just based on what they've had time to support.
In January 2024, we reported several vulnerabilities being exploited by the XRY tool from MSAB to get data from Android devices including stock OS Pixels. In April 2024, Pixels shipped a reset attack mitigation we proposed preventing the whole attack vector. We plan to expand it.
Currently, non-Pixel devices are still vulnerable to these reset attacks. In June 2024, Android 14 QPR3 included another feature we proposed providing wipe-without-reboot support for the device admin wipe API. We shipped this early and use it in our duress PIN/password feature.
We also began triggering a full compacting garbage collection cycle in system_server and SystemUI when the device is locked based on info about these attacks. This releases memory for no longer allocated objects to the OS, where our generic zero-on-free feature clears all of it.
In the near future, we plan to ship support for adding a PIN as a 2nd factor to fingerprint unlock to enable users to use a strong passphrase combined with PIN+fingerprint secondary unlock for convenience. We have an initial implementation, but it needs more work before shipping.
reply
Its pretty scary that with alot of these tools, devices can be broken into. Not a good sign at all!
reply
35 sats \ 1 reply \ @k00b 21 Jul
All of this was new to me. Glossary:
  • AFU - after first unlock
  • BFU - before first unlock
  • BF - brute force
It looks like the goal is no BF when AFU. Graphene is the only OS that has sufficient defenses?
reply
1012 sats \ 0 replies \ @final OP 21 Jul
Rest of the glossary is here:
  • BFU Yes - BFU Extraction (extraction of data only available in BFU), so list of installed apps (NOT the data of the apps), network configuration and metadata.
  • FFS - Full File System extraction (all current profile user data and privileged data like application data)
  • FBE - File-based Encryption (current Android encryption)
  • FDE - Full Disk Encryption (legacy Android encryption not in use anymore)
  • SPL - Security Patch Level ("up to [date] SPL" means they are only able to do it on that patch level or earlier)
Tools like Cellebrite are designed to either bypass, retrieve, or brute force the device credential to unlock the device and perform data extraction. They exploit the devices they target to do this. Where AFU has FFS support but no Brute Force, it can suggest they have a way to extract data without needing to brute force the device credential.
For example, the Stock OS has FFS extraction for AFU despite not having support for brute forcing the Titan M2 secure element in Pixels, this would imply a stock OS vulnerability of some kind. GrapheneOS cannot be extracted because that exploit doesn't work, and they also cannot brute force the device credential to find a way to unlock. It's the only device / OS combination that hasn't been broken into, excluding ones they haven't had time to target yet like 5th generation iPad Pros.
In cases where Brute Force is available, having a strong passphrase that cannot be bruteforced would make that impossible anyhow.
Unlocked doesn't mean much because that situation involves when you successfully brute force (not possible) or if the target gives away his PIN/password (out of scope).
It's entirely possible a powerful government can extract data from an After First Unlock state device via sending it to a lab where they can get data directly from RAM or tamper with it to get control of the device. Mobile devices don't have encrypted memory yet. Main SoC is much more resistant to tampering than a desktop CPU / motherboard but that's not saying a lot. It's not tamper resistant in the same sense as the secure element.
reply
What does the “available in CAS” mean for the iPhone 15 series?
reply
Available in Cellebrite Advanced Services. It's a service where you pay them to do it for you.
reply
Lockdown mode blocks USB connections while the device is locked. Doesn't that mitigate the AFU issue as if the device is locked, even after first unlock, it won't allow anything to connect to it in the first place?
reply
Cellebrite mentions nothing about Lockdown Mode in their documentation. We believe Lockdown Mode does not matter to them as they have an appendix for caveats on certain extractions and Lockdown Mode is not one of them.
Lockdown Mode reduces attack surface for the browser and Apple services like iMessage or FaceTime. It hardly does anything to secure the base OS, which we think is disappointing. We believe the setting is too strict and should be more configurable, instead they design it with their way of minimising settings. You cant individually toggle hardening like changes for the browser.
reply
As far as I know, most cellebrite devices work by plugging in the device. If you enable lockdown mode and your phone is locked even after AFU, iOS will refuse any data connections over USB. They’d have to either exploit something from inside the phone or do a memory extraction which isn’t exactly easy. I don’t think graphene can protect from a memory extraction? I haven’t looked at the latter in much detail
reply
Damn, those employees must be absolute nerds, but impressive nonetheless.
reply
Any solution to escape such tools?
I don't know any.
reply
In current age of information, these tools are for limiting the FREEDOM! Are there any rules for the implementation of these on anyone! Can we say these tools will only be applied on criminals?
reply
These tools/procedures are widely used for other reasons including at border crossings. They get training to use it. Law enforcement also often uses them illegally for unjustified search and seizure targeting those who have done nothing beyond crossing a border or journalism. The people using tools from Cellebrite or competitors are often the ones breaking the law or using them for criminal reasons. Many of the people using these tools are in fact criminals breaking the actual laws of the land.
Even if they say it's only for certain governments and law enforcement clients, it doesn't stop them getting out. There are likely militias in the world using this. If we can get documentation, someone far more powerful could get the software too.
reply
These are scary things! How are these companies even evolving when the concerns over privacy are rapidly growing!
reply
We also began triggering a full compacting garbage collection cycle in system_server and SystemUI when the device is locked based on info about these attacks. This releases memory for no longer allocated objects to the OS, where our generic zero-on-free feature clears all of it
reply
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.