Most active commenters
  • strcat(10)
  • ls612(4)
  • int0x29(3)
  • giantg2(3)
  • tranq_cassowary(3)

←back to thread

Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking

(arstechnica.com)
446 points akyuu | 36 comments | 30 Oct 25 23:12 UTC | HN request time: 0.002s | source | bottom
Show context
derbOac ◴[30 Oct 25 23:39 UTC] No.45766747[source]
They couldn't answer the question most on my mind: "We’ve reached out to Google to inquire about why a custom ROM created by volunteers is more resistant to industrial phone hacking than the official Pixel OS. We’ll update this article if Google has anything to say."
replies(10): >>45766778 #>>45777056 #>>45778032 #>>45778056 #>>45779079 #>>45779102 #>>45779404 #>>45780503 #>>45781099 #>>45783125 #
IncreasePosts ◴[31 Oct 25 21:45 UTC] No.45777056[source]
Is grapheheOS actually harder to hack or does cellebrite just not put a lot of effort into supporting it because the very low odds of LEs running into one in the wild?
replies(5): >>45777082 #>>45777144 #>>45777155 #>>45779084 #>>45779157 #
1. zb3 ◴[31 Oct 25 21:56 UTC] No.45777144{3}[source]
It physically disables USB ports when locked which significantly reduces the attack surface + can be configured to automatically reboot.
replies(2): >>45777712 #>>45778612 #
2. fph ◴[31 Oct 25 23:08 UTC] No.45777712[source]
Two fixes that would be trivial to backport to mainline Android.
replies(3): >>45777832 #>>45777836 #>>45779218 #
3. vbezhenar ◴[31 Oct 25 23:27 UTC] No.45777832[source]
You can configure USB port for charging only in the developer options.
replies(5): >>45777859 #>>45778136 #>>45779058 #>>45779241 #>>45781153 #
4. ls612 ◴[31 Oct 25 23:27 UTC] No.45777836[source]
iOS already does both of this afaik. At least the automatic reboot part, I think the USB data functionality is disabled in some cases while locked too.
replies(4): >>45777949 #>>45779169 #>>45779282 #>>45780058 #
5. andrepd ◴[31 Oct 25 23:31 UTC] No.45777859{3}[source]
On Lineage this is the default behaviour: charging only until I tap on a notification to change it.
replies(2): >>45778901 #>>45779276 #
6. int0x29 ◴[31 Oct 25 23:46 UTC] No.45777949{3}[source]
iOS is also compromised according to other cellebrite docs so that makes me think Graphene OS just might not be worth the effort for them.
replies(1): >>45777984 #
7. ls612 ◴[31 Oct 25 23:52 UTC] No.45777984{4}[source]
iOS was hackable in 2024 for certain hardware (in particular the checkm8 era phones) or for iOS versions which had known vulns at that point. Modern hardware with updates was still listed as “in research” which means “we can’t”.
replies(2): >>45778484 #>>45779287 #
8. giantg2 ◴[01 Nov 25 00:18 UTC] No.45778136{3}[source]
I think that's at the OS level. I think there are things that could be done through the firmware level.
replies(2): >>45778518 #>>45779248 #
9. int0x29 ◴[01 Nov 25 01:21 UTC] No.45778484{5}[source]
The last leak was in 2024. Hopefully somone nabs the latest iOS release information

Edit: last released leak showed they had broken the then most recent iOS release (17.5.1) in AFU state on all but the most recent hardware which was marked "available in CAS"

https://discuss.grapheneos.org/d/14344-cellebrite-premium-ju...

The good news is neither pixel nor iOS seems to show full file system extract under BFU state in the recent tables I can find.

replies(2): >>45778666 #>>45779351 #
10. wakawaka28 ◴[01 Nov 25 01:29 UTC] No.45778518{4}[source]
Since no phone on the market has open-source firmware, and the firmware likely has all the capabilities of the base system, I think arguing for a firmware lock on that is kind of pointless. Sure, every little bit of security helps, but ultimately you still need to trust a lot of stuff to use a smartphone or most other modern hardware.
replies(1): >>45781283 #
11. aussieguy1234 ◴[01 Nov 25 01:47 UTC] No.45778612[source]
The auto reboot is configured by default. Its quite a long window, every 18 hours or so from memory. It can be configured to be shorter than this.

I experimented with one hour, but missed an alarm.

Its good security practice to reboot your phone before going to bed, this puts it in the much harder to break in to BFU state.

replies(1): >>45779355 #
12. ls612 ◴[01 Nov 25 01:59 UTC] No.45778666{6}[source]
Neither have had any known BFU on the latest iOS for years. AFU is occasionally possible but most of the leaks had latest software and hardware as still protected. Powering off the phone is always still a good idea though if you can.
replies(1): >>45779294 #
13. tranq_cassowary ◴[01 Nov 25 03:36 UTC] No.45779058{3}[source]
That only turns it of on the OS level. GrapheneOS also turns it off on the level of the USB controller.
replies(1): >>45779247 #
14. tranq_cassowary ◴[01 Nov 25 04:06 UTC] No.45779169{3}[source]
iOS lacks configurabiluty for both. USB protection is also less thorough technically.
15. strcat ◴[01 Nov 25 04:20 UTC] No.45779218[source]
That's definitely not trivial and it's a small fraction of the security features GrapheneOS provides. https://news.ycombinator.com/item?id=45779157 explains several of the relevant features. Using hardware memory tagging for the whole base OS is definitely not trivial, and neither is implementing a much more hardened memory allocator. Our USB protection is not a trivial feature and is much more advanced than the USB protection features available in standard Android via the device admin API and Android 16 Advanced Protection mode.
replies(1): >>45780419 #
16. strcat ◴[01 Nov 25 04:25 UTC] No.45779241{3}[source]
No, that only changes the USB gadget mode. It doesn't disable USB peripheral support, USB protocol handling, etc. in the OS and doesn't disable USB at a hardware level. It doesn't protect against the vast majority of Linux kernel driver exploits heavily used by Cellebrite. They mainly exploit bugs in USB peripheral drivers but could also exploit lower level kernel code or firmware if they had to.

Modern Android on modern devices does support disabling software USB support for USB peripherals and USB gadgets while locked via Android 16 Advanced Protection feature. It also has a device admin API for disabling USB at a software level through device admin apps, which could implement disable it while locked but cannot provide support for still using a USB device connected while unlocked to make it much more usable. None of that provides comparable protection to the GrapheneOS USB protection feature, which is one small part of the overall GrapheneOS exploit protections.

By default, GrapheneOS blocks new USB connections at a software AND hardware level when the device is locked and then disabling USB data once existing connections end. You can get similar software level functionality via the Android 16 Advanced Protection feature but not the hardware-level protection or the many other exploit protections in GrapheneOS.

https://grapheneos.org/features#exploit-protection explains what's improved compared to standard Android 16. It's not documentation on Android + GrapheneOS features but rather only what GrapheneOS improves.

17. strcat ◴[01 Nov 25 04:28 UTC] No.45779247{4}[source]
That standard Android toggle doesn't turn off USB support at the OS level but rather controls the default USB gadget mode. USB gadget functionality is one part of the high level USB functionality. That doesn't block USB peripherals, USB-C alternate modes, etc. and leaves nearly all the kernel attack surface being exploited by Cellebrite intact.

See https://news.ycombinator.com/item?id=45779241 which explains this.

replies(1): >>45779290 #
18. strcat ◴[01 Nov 25 04:28 UTC] No.45779248{4}[source]
That standard Android toggle doesn't turn off USB support at the OS level but rather controls the default USB gadget mode. USB gadget functionality is one part of the high level USB functionality. That doesn't block USB peripherals, USB-C alternate modes, etc. and leaves nearly all the kernel attack surface being exploited by Cellebrite intact.

See https://news.ycombinator.com/item?id=45779241 which explains this.

replies(1): >>45781275 #
19. strcat ◴[01 Nov 25 04:34 UTC] No.45779276{4}[source]
That's the standard Android behavior for the USB gadget mode, not something specific to LineageOS, and it does not mean USB is in a charging-only mode but rather than no USB gadget functionality such as file transfer (MTP) is active. It does not mean USB peripherals and USB-C alternate mode are disabled, which certainly work in the default charging-only mode for Android's USB gadget setting. It doesn't even mean that USB gadget mode is fully disabled, only that it's in the MTP mode with MTP disabled. There's a slight difference between the regular and and more advanced setting: MTP mode with MTP disabled vs. no active USB gadget. The USB protection feature on GrapheneOS is for blocking new USB connections as a whole at both a software and hardware level and disabling USB data at a hardware level vs. that setting only controlling USB gadget mode. Most of the attack surface is in the USB protocol implementation and especially the USB peripheral drivers which are not disabled in the default mode Android calls charging-only since it's about USB gadget mode, i.e. using the phone itself as a peripheral.
replies(1): >>45786417 #
20. strcat ◴[01 Nov 25 04:36 UTC] No.45779282{3}[source]
iOS 18.1 added a variant of the locked device auto-reboot feature used by GrapheneOS, but it has a hard-wired 72 hour timer instead of a default 18 hour timer that's configurable between 10 minutes and 72 hours. iOS doesn't have an equivalent to the USB protection functionality in GrapheneOS and it doesn't enable what it does have by default.
21. strcat ◴[01 Nov 25 04:37 UTC] No.45779287{5}[source]
No, that's wrong. You're basing your claims on outdated leaks of Cellebrite documentation showing they didn't support the most recent iOS version yet, which they did end up support weeks later. You can't simply point to outdated documentation where they were working on catching up to claim they don't support those versions and devices today, which is in fact untrue.
22. tranq_cassowary ◴[01 Nov 25 04:38 UTC] No.45779290{5}[source]
Thanks, I was confusing it with the Advanced Protection feature.
23. strcat ◴[01 Nov 25 04:39 UTC] No.45779294{7}[source]
That's not true. Cellebrite has working BFU and AFU exploits for recent iOS and usually catches up to the latest iOS versions and hardware in weeks or a couple months. They do not have working brute force support for the Pixel 2 / Pixel 6 or later / iPhone 12 or later due to the secure elements but can still exploit the devices in BFU mode and extract the data available before unlocking. iPhone 17 may work out better due to hardware memory tagging but previous iOS and iPhone models did not hold out in the way you're claiming at all.
replies(3): >>45780251 #>>45780896 #>>45782249 #
24. strcat ◴[01 Nov 25 04:54 UTC] No.45779351{6}[source]
February 2025 documentation was posted by someone in that thread and a blog post was written by someone about it which was linked there. The initial link posted with the February 2025 documentation died and the blog post only focuses on Android and GrapheneOS rather than iOS too.

GrapheneOS has access to the latest Cellebrite Premium documentation since we have a contact able to share it with us. In April 2024 and then July 2024, we posted screenshots of specific capability tables from the documentation but then stopped doing it because it could result in losing access to it. The contact sharing it with us was still fine with us doing it but later came to the same conclusion we did that it's best not to post anything from it. Cellebrite doesn't like it being posted publicly even though it's essentially marketing their products, probably because it results in pressure on Android and iOS to stop it happening.

replies(1): >>45785334 #
25. strcat ◴[01 Nov 25 04:55 UTC] No.45779355[source]
Alarms work after reboot in the default system Clock app configuration. However, it does not work in all configurations since not everything is properly handled for the Clock app's Direct Boot mode. Google's Clock app works better since it diverged from AOSP Clock years ago. The main thing you'll miss are push notifications since the vast majority of apps do not have Direct Boot support for detecting there are notifications available. We aren't actually aware of any non-Google app supporting it.
26. commandersaki ◴[01 Nov 25 09:06 UTC] No.45780251{8}[source]
Citation needed.
27. fph ◴[01 Nov 25 09:45 UTC] No.45780419{3}[source]
I never wrote that the other Graphene OS features and mitigations are trivial. I agree that there is much more to that.

And even if the USB mitigations were hard to write (thanks for all your work, by the way!), they are surely significantly easier to backport from an open source project.

28. Sesse__ ◴[01 Nov 25 11:40 UTC] No.45780896{8}[source]
What data _is_ there to extract BFU, really, if you can't break the secure element? I mean, the main storage isn't decrypted yet, right?
29. linux_modder ◴[01 Nov 25 12:33 UTC] No.45781153{3}[source]
With Grapheneos no need for developer options however. It's in the usual menu in the exploit protections submenus.
30. giantg2 ◴[01 Nov 25 12:56 UTC] No.45781275{5}[source]
Sorry, I had the wrong terminology.
31. giantg2 ◴[01 Nov 25 12:57 UTC] No.45781283{5}[source]
I had the wrong terminology. Your sibling comment explains it better.
32. ls612 ◴[01 Nov 25 15:10 UTC] No.45782249{8}[source]
My mental model of this is “Apple releases new iOS with security patches -> time passes before cellebrite develops an AFU exploit -> Eventually Apple patches the exploit -> go to step 1”. By adding auto reboot Apple ensured that since lots of the time is spent in the stage where the latest iOS has no AFU exploit and AFU becomes BFU before that changes, and thus they are stuck with only extracting whatever is unencrypted at boot time at best. The leaked matrices even for September 2024 had no BFU listed for any remotely recent versions.
33. oddmiral ◴[01 Nov 25 21:04 UTC] No.45785334{7}[source]
Any info on recent ban of SafeDot by Android and GOS? Any plans to implement SafeDot as an official GOS app?
replies(1): >>45785485 #
34. int0x29 ◴[01 Nov 25 21:19 UTC] No.45785485{8}[source]
Isn't that now a native android function?
replies(1): >>45786385 #
35. oddmiral ◴[01 Nov 25 23:18 UTC] No.45786385{9}[source]
A little green dot? No, it's a small fraction of SafeDot functionality. I'm interested in audible notification when camera, mic, or gps is accessed. Currently, I cannot make it work on GOS (maybe, may phone is hacked).
36. andrepd ◴[01 Nov 25 23:23 UTC] No.45786417{5}[source]
Got it, that makes sense! Thanks for explaining :)