A story to keep an eye on, there’s two things I think it’s important we note:
This is the best opportunity since Jan 6 for the FBI to start their usual “end to end encryption is terrible” campaign, but they haven’t done so.
They won’t reveal the phone model publicly, and they’re confident they can get in on their own.
To me, this is sounding like complaints about E2EE from law enforcement may be dying down, because they now have the capabilities to generally get around it reliably
Except if the dude has a very secure phone and OS (like GrapheneOS) with some specifics extras (very long password + good opsec), any government would be able to break into this phone
which had nothing of value on it. But I guess this case is different as the shooter doesn’t belong to a specific group and had no clear motives, so unlocking his device might be more appealing to the FBI.
According to the image that GrapheneOS shared on their mastodon, Cellebrite claims being able to get the decrypted data of most non-titan-m2-pixel Android phones even before first unlock.
Well yeah the truth is that most people cary phones with shit security. Easily allowing memory dumps etc. Evil maid attacks like cellebrite kits are not considered an issue by many vendors.
A simple OS-level exploit would be enough to bypass this, the same goes for a duress PIN or password. The only difference is that a duress PIN or password is a lot more useful while being a lot safer from accidental or unwanted wipes.
Weaver throttling and auto-reboot make a 6-digit PIN completely untouchable and are a much more robust solution. There is zero evidence of someone having an exploit to bypass the Weaver throttling on Pixel 6 and up, in fact, there is a lot of evidence of the opposite because of the leaks from XRY and Cellebrite.
As for the auto-reboot feature, if someone tries to bypass it, it will result in a kernel panic, which will cause the device to reboot anyway.
I’m pretty sure the 3-letter agencies have at least a couple of 0-days for stock Android ready for use at any time.
How are you getting to the conclusion that there is “no way” of getting into a Google Pixel? It’s a highly complex system and if we know anything it’s that all complex systems have bugs. A lot of them.
The guy had fingerprint unlock on his phone, they simply help the phone up to his thumb.
They tracked his movements, used CCTV to find him unlock his phone. I’ve seen this used by British police before (used CCTV from a shop to find pin code).
The phone was an iPhone or Android on a previous OS version where cellebrite has BFU and AFU exploits available.
The phone was an iPhone or Android in an AFU state, meaning Cellebrite could easily unlock it (especially if the phone is not fully updated).
They used a list of other passwords from email accounts, devices, dates of birth (family is cooperating) to generate a dictionary. Then bruteforced the password with this wordlist. (This usually takes at least 2 -3 weeks). Its also risky if there is autodelete (assuming its an iPhone).
With how fast it was to unlock I’d be willing to bet that the password wasn’t complex alphanumeric, on a recent patch level iPhone or Pixel.
There have been 2 or 3 exploits for the pixel that are capable of unlocking these phones from an AFU state. However, these have been patched for about a few months now. Previously these exploits have been confirmed to be used to unlock Pixels.
There have never been BFU exploits to unlock Pixels since the Titan M2. In fact, one federal agent said “Pixels are heavily encrypted and shouldn’t be sold to normal people” (Paraphrased quote, will find the article).
The fix for these exploit resulted in a much smaller attack surface (increased USB restrict mode and other features that are essential to unlock phones).
I personally believe both Apple and Google will eventually defeat Cellebrite, since the attack surface is getting very small.
For example, on current M1 - M3 Macbooks, computer forensic technicians are unable to image these devices, or unlock them (even in AFU state). This is because of Apple’s SOC + SIP. The only potential attack would be to dump the ram by removing the sticks, however on Mac RAM is soldered in, preventing this as well. There is simply no attack surface anymore to unlock these devices.
On another forum there is a user who had 4 Pixels confiscated in a federal lab for months with an order to “unlock as soon as possible”. They were unable to get in. All phones were BFU and on very old OS versions. Alphanumeric passwords.
By the way, shout out to the Graphene OS team! They discovered many of these exploits, and Graphene OS was never vulnerable to them.
“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”
“Google implemented a fix by zeroing the memory when booting fastboot mode, and only enabling USB connectivity after the zeroing process is completed, rendering the attacks impractical.”
being one of the users on this forum that spend more time hating on apple than is healthy. like yes, [big company] does [bad things], we understood that the first few hundred times it was mentioned
