Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking
Posted by AbhishMuk@reddit | hardware | View on Reddit | 43 comments
Posted by AbhishMuk@reddit | hardware | View on Reddit | 43 comments
Dogeboja@reddit
I would never dare to use Android when these devices exist. iPhone is much more secure and Apple even sends you immediate response if you are for some reason running ancient version and have been targeted.
EloquentPinguin@reddit
They cant break Graphene OS apparently, and on cellebrite's they claim that they unlock and extract up to iPhone XR, similar they claim they can unlock up to Galaxy S10, and thats why I believe they can break much more recent devices than they claim.
For most people, both Android and iPhone are secure enough, for people very serious Graphene OS is the option, against state level actors and the likes probably nobody is secure.
At that point the chain of trust breaks.
randomkidlol@reddit
curious as to what grapheneOS does differently vs google or samsung's software stack that makes this attack more difficult. more aggressive sandboxing for apps? removing some vulnerable background daemons? the 1st step of breaking in via the USB port is still the same so i assume theyre using the same USB driver or firmware vulnerabilities.
EloquentPinguin@reddit
They disable the USB port while locked actually. So android disables most USB features by default, but some remain enabled., GrapheneOS makes it completely useless, other from charging, while locked. You can even extend this setting to disable charging while locked, but probably only few have it enable.
This results in the USB interface being less vulnerable.
iBoMbY@reddit
The problem is Graphene only works on Google devices, and Google is not trustworthy (just like Apple isn't trustworthy). They are subject to the US secret court, and they will do whatever the US government wants them to do.
EloquentPinguin@reddit
Yes, that's why I mentioned that there is no safety against state level actors.
robot-exe@reddit
I dont think you understand how these work. Cellebrite’s tool is something where it’s required to plugged into your device (outside of iCloud collections which are a bit different). Every iPhone can be collected, the only limitation for bruteforcing is really your password as well as if it’s BFU (Before First Unlock) or AFU (After First Unlock). If you have a 4 digit password on your iPhone for example it’ll be cracked over a weekend
anival024@reddit
If you've unlocked your device after boot, it's no longer fully encrypted. An attacker who would be using these tools can just get access to everything physically.
shopchin@reddit
Isn't that the same for all phones and the alterations is not to use one?
Dpek1234@reddit
Yep
Iirc the reason for that is becose the decrypt key AFU is now in memory so it can actualy be used Then the memory can just be dumped and now you have the key
itsaride@reddit
iPhones get disabled after 10 incorrect attempts + incremental wait times. There's no way through via brute forcing.
robot-exe@reddit
Cellebrite and Graykey don’t brute force the way you are thinking. They don’t have the incorrect attempts limitation. It’s not through the lock screen.
itsaride@reddit
Kind of irrelevant. The current state of any Cellebrite exploits on iPhone are only useful after the first unlock after a boot so practically useless unless a user is dumb enough to unlock the re-lock a phone and pass it to an attacker and iPhones have automatic reboot too.
00k5mp@reddit
It's ot kind of irrelevant, you are just ignorant on the subject and unable to admit your wrong.
battler624@reddit
The automatic reboot happens after 4 days.
More than enough time.
robot-exe@reddit
I’d have to go look at the latest release but I’ve definitely brute forced iPhones after turning them on before being unlocked for the first time since boot
Warren-Emery@reddit
This bruteforcing technique, even in AFU state, is obsolete now they have to find other techniques, but we just have to hope that this person has "screenshot" the passage where the list of iOS devices is displayed and that he leaks the image
Brilliant_Can6465@reddit
Im om 14 and i doubt the police have broken in
robot-exe@reddit
You can break into the 14 depending on the password. If you have a 4 digit password it’ll be cracked over a weekend
omeguito@reddit
What about the retry timeout?
robot-exe@reddit
Doesn’t occur cause they aren’t bruteforcing through the lockscreen
omeguito@reddit
It’s not about the lock screen, they are using exploits that get regularly patched to avoid this abuse
robot-exe@reddit
And then they update their tools with a new exploit. It’s just a cat and mouse game. Every year Apple updates with new security fixes and then Cellebrite and Magnet come out with updates to their tools to get around the patches.
Apple’s phones aren’t immune to these tools just like how Android phones aren’t either.
AbhishMuk@reddit (OP)
Honestly I have my old phone which one day decided I had the wrong pattern (I suspect failing emmc corrupted something)… I’d love to use one of these tools on it, it was probably android 8 so shouldn’t even be that hard 🤞
Brilliant_Can6465@reddit
Yup all the best. I would probably clone the whole drive to get the data
Brilliant_Can6465@reddit
6 digits, ios 14 XSa
robot-exe@reddit
6 digits is still relatively short to crack. Less than a month. Additionally if they have your phone after you’ve had it on and locked it compared to being fully turned off and then turned on before any passcode has been entered. That can affect the speed of how long it takes to crack.
Brilliant_Can6465@reddit
The battery had died prior to seizure
robot-exe@reddit
They’ll just charge it and keep it charged as it’s being brute forced if they really want to get into it
Brilliant_Can6465@reddit
It shut down
PolarisX@reddit
She goes to another school
Brilliant_Can6465@reddit
What?
vasteverse@reddit
You're a victim of marketing. Pixels have very similar security protections to iPhones, including a dedicated security chip. From what I've read, Android phones are generally harder/more frustrating to crack.
NeverDiddled@reddit
Back when Zerodium (a zero-day brokerage service) was still a thing, they paid considerably more for Android 0-days than iOS. They claimed it was because Android 0-days were rare, and they already had an unsold stockpile of iOS ones. Of course, some people felt it might just be that Android vulnerabilities sell faster than iOS, due to the larger audience.
AbhishMuk@reddit (OP)
Tldr is newer softwares and Pixels are consistently harder for celebrite to break, especially if locked and before first unlock.
GrapheneOS, interestingly (but perhaps unsurprisingly to anyone familiar with it) is harder to break than the stock ROM across the board.
Plank_With_A_Nail_In@reddit
ROM?
repocin@reddit
https://en.wikipedia.org/wiki/Custom_firmware#Android
https://en.wikipedia.org/wiki/List_of_custom_Android_distributions
superboo07@reddit
in this case ROM means the OS thats been flashed to the device.
EasyMrB@reddit
Love you Graphene devs.
shopchin@reddit
Extract what sort of data though?
NeverDiddled@reddit
The data stored on your phone. Often they can extract what they call the "FFS", Full File-System. Their tools help them decrypt it, frequently by pulling the key from memory.
Sopel97@reddit
the key does not exist in memory in unencrypted form
pdp10@reddit
Possibly an earlier source: Someone Snuck Into a Cellebrite Microsoft Teams Call and Leaked Phone Unlocking Details.