Claims made by forensics companies, their capabilities, and how GrapheneOS fares

I guess the law enforcement has broken the integrity of Signal, Tor, all the VPNs, etc and all of them are honeypots. /Massive s

3 Likes

Re-More Info

But the BFU protections only apply to Pixel 6 or newer and iPhones according to the cellebrite slides ?

https://telefoncek.si/2024/05/2024-05-30-grapheneos-and-forensic-extraction-of-data/

GrapheneOS and forensic extraction of data

2 Likes

I would presume for Pixel this is due to the use of the Google designed Titan chipset on Pixel 6 where as earlier Pixels used Qualcomm that did not have the Secure Enclave-like functions iPhone’s have had since I believe iPhone 6.

The Titan M was present from Pixel 3 up to Pixel 6, where it was replaced by the Titan M2.

1 Like

Thank you for the correction!

1 Like

Virtual machine escapes don’t cost shit compared to Android RCE Zero Click exploits, but you’re free to keep your head in the sand and believe that desktop OS’s are the most secure.

2 Likes

You can just look at cost of exploits for desktop operating systems vs android and ios. It’s not even close. And if I’m being honest, so few people even use Qubes that I don’t think they even bother trying to find exploits for it. Not saying it’s not secure vs a standard desktop linux machine but I don’t think there’s the same level of scrutiny.

2 Likes

This is incorrect. The key is not held in secure element but rather key encryption key is derived from the lock method and the secure element is used to throttle the derivation of the key.

That isn’t the case. Rather, the NXP secure element that was used on the Pixel 2 and Titan M1 seem to have been successfully exploited by Cellebrite just like how they exploited the secure elements in iPhones. iPhone 12 and later has an additional protection within the secure element where exploiting the secure element itself isn’t enough to bypass this, that’s why it started holding up. Samsung has secure elements using standard ARM cores too but they are bypassing that. It doesn’t mean Pixel 5a and earlier or very recent Samsung phones lack secure element, it just means they’re exploiting it.

Pixel 2 added a secure element, but a much less secure standard NXP one.
Pixel 3 moved to a custom ARM-based one with a standard ARM secure core (Titan M1).
Pixel 6 moved to a fully custom RISC-V design based on OpenTitan (Titan M2).

The Titan M2 (used since 6th generation Pixels) appears to be blocking the secure element getting exploited by Cellebrite so far. It is not unlikely that it will eventually be exploited as well despite it holding up for a very long time already, which is why if withstanding bruteforcing indefinitely is part of someone’s threat model, they should be using a passphrase with sufficient entropy (such as 7 diceware words) which no longer needs to rely on the secure element’s throttling.

GrapheneOS’ upcoming 2-factor biometric PIN will make using a long passphrase much more usable for people who don’t want to simply use a fingerprint as a fall back. It will enable having a long passphrase as the primary unlock method that can withstand bruteforce attacks even in the event of a secure element exploit, while allowing the user to use a combination of fingerprint + PIN for everyday use in AFU.


It seems that people are also misinterpreting BFU exploit in those tables to mean that a secure element bypass is occurring, which isn’t correct. Them saying that they have BFU capabilities just means they can get limited data from a BFU device that isn’t encrypted, such as some metadata, not that they’re able to bypass the secure element and bruteforce the device to get in. That’s what “BF” is on their table.

Cellebrite’s docs show that brute force protection holds up against them on Pixel 6 and later and iPhone 12 and later, but they are partially bypassing the iPhone hardware defenses on newer devices.

6 Likes

That doesn’t make a lot of sense. Cellebrite or insert forensics company or exploit vendor here being able to exploit something means that there’s a known exploit. Even if Cellebrite wasn’t selling to non-LE (and even if they were, assuming that these devices don’t end up in other hands via the black market, which if you look into it you’ll quickly find out absolutely happens), the mere fact that the exploit exists means that it can leak and be used in general.

GrapheneOS did get rid of very specific exploits for Pixels (which aren’t specific to Pixels, but Google fixed them in firmware) exactly because these companies overplayed their hand in order to market themselves. GrapheneOS is being accused of trying to market itself when it’s these companies trying to use GrapheneOS’ name to sell their product by saying they have “GrapheneOS support” when what they actually mean is that they can do an extraction if the owner surrenders their password. That’s marketing.

Showing how GrapheneOS holds up against a tool that we have certain information about makes sense when people are concerned based on the intentionally confusing marketing by these companies.

16 Likes

Thank you for the thorough explanation and breakdown! There is always another layer of nuance to learn and appreciate you taking the time to explain that for everyone reading this thread.

2 Likes

So Pixel 6 and 7 hardware is more secure than the newest iPhone hardware?

(Pixel 8 hardware is obviously more secure because of MTE.)

1 Like

GrapheneOS twitter picked up the topic from this discussion. As much as I like the project, I am worried about not remotely accepting any feedback/critics. Sometimes, it gets tiring…

2 Likes

I’m a bit confused. I have read the posts and it doesn’t look to me that @jonah is pushing the narrative privacy/security are only for criminals. I’m not sure where that is coming from.

6 Likes

As much as I love GrapheneOS, actions like this do not sit well with me. Isn’t the first time it has happened either.

3 Likes

Graphene OS claiming they protect better agaisnt Celebrite (a private company) equals them claiming that LE can’t touch you ? Why ? (btw even Signal got access to a Celebrite device…)

  • What I got from his messages was :
    • Graphene OS shouldn’t claim to protect agaisnt a specific product used in majority by LE that use “public”(*) exploits only because this product is used by LE ?
    • So a project about privacy and security shouldn’t do anything to or claim to protect your informations from LE because “it usually doesn’t end well” ?
    • So what, non criminals do not need to protect themselves from LE (and in this case from a private company and exploits) ?

I can clearly see how someone could interpret that as “Only criminals have a reason to protect agaisnt LE and companies working with them”. To be fair, I also think that there is more to be said about his missundertstanding of what Cellebrite is and how a lot of peoples need to be able to rely on privacy tools like Graphene OS being secure agaisnt such adversaries to stay free (and not only criminals) which they couldn’t if Graphene did not proove it by publishing Cellebrite marketing materials.

(*) : by public I mean that can be found by others.

I feel like they’ve stopped teaching reading comprehension and critical thinking skills in schools. Maybe the real fight isn’t getting people to switch to privacy tools, but fixing our public education systems :joy:

2 Likes

Cellebrite is also the company instructing their criminal LE clients to lie in court about how they obtained access to the devices.

3 Likes

I guess this is the part that started everything. Which is fair because GrapheneOS didn’t state that law enforcement can’t touch you.
Their whole post was about cellebrite and not LE.

(Still not sure where “privacy and security is only for criminals” comes from.)

4 Likes