pull down to refresh

What does the “available in CAS” mean for the iPhone 15 series?
Available in Cellebrite Advanced Services. It's a service where you pay them to do it for you.
reply
Lockdown mode blocks USB connections while the device is locked. Doesn't that mitigate the AFU issue as if the device is locked, even after first unlock, it won't allow anything to connect to it in the first place?
reply
Cellebrite mentions nothing about Lockdown Mode in their documentation. We believe Lockdown Mode does not matter to them as they have an appendix for caveats on certain extractions and Lockdown Mode is not one of them.
Lockdown Mode reduces attack surface for the browser and Apple services like iMessage or FaceTime. It hardly does anything to secure the base OS, which we think is disappointing. We believe the setting is too strict and should be more configurable, instead they design it with their way of minimising settings. You cant individually toggle hardening like changes for the browser.
reply
0 sats \ 1 reply \ @Zk2u 23 Jul
As far as I know, most cellebrite devices work by plugging in the device. If you enable lockdown mode and your phone is locked even after AFU, iOS will refuse any data connections over USB. They’d have to either exploit something from inside the phone or do a memory extraction which isn’t exactly easy. I don’t think graphene can protect from a memory extraction? I haven’t looked at the latter in much detail
reply
I didn't get a notification to reply to this - I didn't mean to ignore this! I just saw when trying to search recent Cellebrite news on here.
As far as I know, most cellebrite devices work by plugging in the device. If you enable lockdown mode and your phone is locked even after AFU, iOS will refuse any data connections over USB
They can bypass this restriction. Cellebrite do not mention Lockdown Mode in the Premium documentation as it doesn't change anything for them. Users from a law-enforcement forensics chat room we previously monitored also still tell that this is the case (they claim to have special cables that have a payload to bypass that) and that it isn't exclusive to Cellebrite. Potentially Apple could make a fix for this, as they did make an automatic reboot feature recently that pissed the forensic companies off.
People are still leaking chats there saying this is the case like in here: (source)
For bespoke cases, the client would pay Cellebrite to have their expert teams find a way in themselves (called Advanced Services).
They’d have to either exploit something from inside the phone or do a memory extraction which isn’t exactly easy.
It's absolutely possible they could do that but they'd hate to do the former. They're both exploits that would meet the objective but it's apples and oranges.
They like their exploits to have as minimal data footprint as possible because if their extraction methods are modifying the owner's data then it can be used as a defence in court that the evidence is tampered which risks making it inadmissible. For example, Cellebrite have an APK downgrade feature for downgrading apps or OS components to outdated, vulnerable versions on Android to aid extractions. They say it is an absolute last resort when every other method has been exhausted, including attempting physical attacks. They could do it, but remote access a la NSO Group is for a different type of customer than what Cellebrite sells to.
I don’t think graphene can protect from a memory extraction? I haven’t looked at the latter in much detail
Hardened memory allocator in GrapheneOS zeroes memory when it is freed. It protected against a forensic company that exploited the Stock OS by RAM dumping from a bootloader exploit to get a derived hash they could brute force the OS PIN/password with. GrapheneOS recieved bounties and ASBs for reporting it and building a fix for that (post here) but the stock OS still falls behind what GrapheneOS does.
reply