Someone recently managed to get on a Microsoft Teams call with representatives from phone hacking company Cellebrite, and then leaked a screenshot of the company’s capabilities against many Google Pixel phones, according to a forum post about the leak and 404 Media’s review of the material.
The leak follows others obtained and verified by 404 Media over the last 18 months. Those leaks impacted both Cellebrite and its competitor Grayshift, now owned by Magnet Forensics. Both companies constantly hunt for techniques to unlock phones law enforcement have physical access to.
“You can Teams meeting with them. They tell everything. Still cannot extract esim on Pixel. Ask anything,” a user called rogueFed wrote on the GrapheneOS forum on Wednesday, speaking about what they learned about Cellebrite capabilities. GrapheneOS is a security- and privacy-focused Android-based operating system.
rogueFed then posted two screenshots of the Microsoft Teams call. The first was a Cellebrite Support Matrix, which lays out whether the company’s tech can, or can’t, unlock certain phones and under what conditions. The second screenshot was of a Cellebrite employee. 💡 Do you know anything else about phone unlocking technology? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
According to another of rogueFed’s posts, the meeting took place in October. The meeting appears to have been a sales call. The employee is a “pre sales expert,” according to a profile available online.
The Support Matrix is focused on modern Google Pixel devices, including the Pixel 9 series. The screenshot does not include details on the Pixel 10, which is Google’s latest device. It discusses Cellebrite’s capabilities regarding ‘before first unlock’, or BFU, when a piece of phone unlocking tech tries to open a device before someone has typed in the phone’s passcode for the first time since being turned on. It also shows Cellebrite’s capabilities against after first unlock, or AFU, devices.
Screenshot via GrapheneOS forum.
The Support Matrix also shows Cellebrite’s capabilities against Pixel devices running GrapheneOS, with some differences between phones running that operating system and stock Android. Cellebrite does support, for example, Pixel 9 devices BFU. Meanwhile the screenshot indicates Cellebrite cannot unlock Pixel 9 devices running GrapheneOS BFU.
In a statement, Victor Cooper, senior director of corporate communications and content strategy at Cellebrite, told 404 Media “We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.” Google did not immediately respond to a request for comment.
GrapheneOS is a long running project which makes sizable security changes to an Android device. “GrapheneOS is focused on substance rather than branding and marketing. It doesn’t take the typical approach of piling on a bunch of insecure features depending on the adversaries not knowing about them and regressing actual privacy/security. It’s a very technical project building privacy and security into the OS rather than including assorted unhelpful frills or bundling subjective third party apps choices,” the project’s website reads.
As well as being used by the privacy and security conscious, criminals also turn to GrapheneOS. After the FBI secretly ran its own backdoored encrypted phone company for criminals, some drug traffickers and the people who sell technology to the underworld shifted to using GrapheneOS devices with Signal installed, according to interviews with phone sellers.
In their forum post, rogueFed wrote that the “meeting focused specific on GrapheneOS bypass capability.”
They added “very fresh info more coming.”
We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage
Lmao fuck them 😂 the grapheneOS forum is exactly where this info belongs so the devs can patch any vulnerabilities. As if companies like cellebrite care if (other) malicious actors get their hands on the exploits. They just don’t want the the vulnerabilities to be fixed so they can keep using them
This article is behind a pay wall. So I found it for free. Same subject and leaks. https://www.androidauthority.com/cellebrite-leak-google-pixel-grapheneos-security-3611794/
There’s also archive.today that can bypass these paywalls. https://archive.ph/NfjJm
We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.
I was under the impression it was illegal to use exploits for purposes other than responsible disclosure?
Yep for you it is. These guys are friends with governments.
illegal
What do you think this means?
Violation of the unauthorized access provision of the CFAA, or the anti-circumvention provision of the DMCA
No, the word. What do you think “illegal” is?
Companies like cellebrite are the scum of the world.
I’m actually thankful they exist, because they’re a commercial company. They disclose their capabilities and they advertise. If this was strictly a government operation, it could be quite secret, quite nebulous, we wouldn’t get as many leaks. They’re fulfilling a very positive role in the ecosystem as a red team giving valuable feedback to gos for blue teaming.
From the GOS forums, it looks like as long as you keep your phone up-to-date, block USB data in the locked state, and the phone is in the before-first-unlock state, cellbrite still can’t break into it
block USB data in the locked state
So “charging-only when locked” is safe then, right?
Can’t keep your phone up-to-date if you’re no longer in possession of it.
Set a reboot timer. It’ll shut down and dump the keys out of RAM putting it in the more difficult BFU state. That way if you phone is taken and not unlocked successfully by you within a day or so it’ll render itself much harder to crack.
That still won’t keep the phone up to date, as you have to decrypt the device for it to update.
It negates the need for updates because it’s much less likely that BFU attacks are discovered that could compromise the phone.
the before-first-unlock state
Embarrassed to ask what this is exactly…?
When you reboot the phone, it is in the BFU state where everything is still encrypted until the user unlocks the phone, as I understand it. https://blogs.dsu.edu/digforce/2023/08/23/bfu-and-afu-lock-states/
What if you long press power button amd select “lock down”? Does that put it in the same BFU state?
No. Lockdown is not the same as BFU. Lockdown just turns off biometric unlocking.
This is a good precision to be aware of.
It is still an important function because in some places law enforcement may be legally authorized to compel a user to unlock their phone using biometrics, but of course if you disable biometrics, there are less options to force you to enter your passphrase/password etc.
Afaik, it only disables biometrics. BFU means the entire phone (should be) encrypted. You can test this by playing media and then pressing the lockdown button. If the media continues playing, it’s not encrypted.
If you can’t shut your phone down for whatever reason, disabling biometrics would be the second best option (assuming police cannot force you to reveal your password).
When your phone reboots, it prompts for a password before you are able to use any functionality of the phone (nothing’s running in the background until you unlock for security purposes).
Before-First-Unlock refers to this, the post-reboot screen where nothing is actively running that can be easily hijacked. If you set your phone to auto-reboot after a certain amount of hours, you can safely assume people will have to have a BFU exploit to ransack your phone.
The opposite of this is After-first-unlock (AFU), which is after that initial reboot password check.
would using lockdown mimic the BFU state? or does it not matter once you actually unlock the first time?
The latter is true. Phone needs to be in BFU to work against cellbrite, I figure. Lockdown only turns off biometrics and makes the phone unlockable with a pin or password instead, iirc.
If you have enough time to put your phone in lockdown, just power it off. You can also set it so that the phone will automatically reboot if not unlocked in some time period (like a day).
This makes it go into BFU mode if it’s lost or stolen and kept powered.
Where can I find the auto reboot setting?
Assuming you’re on GrapheneOS: https://grapheneos.org/features#auto-reboot
I don’t think most other OEMs have an auto reboot feature
Yeah, oops, GOS only.
I don’t think most other OEMs have an auto reboot feature
There are very few phones where it would help because they’re BFU exploitable.
Sounds like a lot of people are out there selling defective hardware.
On GOS, Settings > Security > Exploit protection
Wish they’d shared the iOS slide as well
deleted by creator
