Most active commenters
  • strcat(4)
  • giantg2(3)

←back to thread

Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking

(arstechnica.com)
446 points akyuu | 14 comments | 30 Oct 25 23:12 UTC | HN request time: 0.001s | source | bottom
Show context
derbOac ◴[30 Oct 25 23:39 UTC] No.45766747[source]
They couldn't answer the question most on my mind: "We’ve reached out to Google to inquire about why a custom ROM created by volunteers is more resistant to industrial phone hacking than the official Pixel OS. We’ll update this article if Google has anything to say."
replies(10): >>45766778 #>>45777056 #>>45778032 #>>45778056 #>>45779079 #>>45779102 #>>45779404 #>>45780503 #>>45781099 #>>45783125 #
IncreasePosts ◴[31 Oct 25 21:45 UTC] No.45777056[source]
Is grapheheOS actually harder to hack or does cellebrite just not put a lot of effort into supporting it because the very low odds of LEs running into one in the wild?
replies(5): >>45777082 #>>45777144 #>>45777155 #>>45779084 #>>45779157 #
zb3 ◴[31 Oct 25 21:56 UTC] No.45777144{3}[source]
It physically disables USB ports when locked which significantly reduces the attack surface + can be configured to automatically reboot.
replies(2): >>45777712 #>>45778612 #
fph ◴[31 Oct 25 23:08 UTC] No.45777712{4}[source]
Two fixes that would be trivial to backport to mainline Android.
replies(3): >>45777832 #>>45777836 #>>45779218 #
1. vbezhenar ◴[31 Oct 25 23:27 UTC] No.45777832{5}[source]
You can configure USB port for charging only in the developer options.
replies(5): >>45777859 #>>45778136 #>>45779058 #>>45779241 #>>45781153 #
2. andrepd ◴[31 Oct 25 23:31 UTC] No.45777859[source]
On Lineage this is the default behaviour: charging only until I tap on a notification to change it.
replies(2): >>45778901 #>>45779276 #
3. giantg2 ◴[01 Nov 25 00:18 UTC] No.45778136[source]
I think that's at the OS level. I think there are things that could be done through the firmware level.
replies(2): >>45778518 #>>45779248 #
4. wakawaka28 ◴[01 Nov 25 01:29 UTC] No.45778518[source]
Since no phone on the market has open-source firmware, and the firmware likely has all the capabilities of the base system, I think arguing for a firmware lock on that is kind of pointless. Sure, every little bit of security helps, but ultimately you still need to trust a lot of stuff to use a smartphone or most other modern hardware.
replies(1): >>45781283 #
5. tranq_cassowary ◴[01 Nov 25 03:36 UTC] No.45779058[source]
That only turns it of on the OS level. GrapheneOS also turns it off on the level of the USB controller.
replies(1): >>45779247 #
6. strcat ◴[01 Nov 25 04:25 UTC] No.45779241[source]
No, that only changes the USB gadget mode. It doesn't disable USB peripheral support, USB protocol handling, etc. in the OS and doesn't disable USB at a hardware level. It doesn't protect against the vast majority of Linux kernel driver exploits heavily used by Cellebrite. They mainly exploit bugs in USB peripheral drivers but could also exploit lower level kernel code or firmware if they had to.

Modern Android on modern devices does support disabling software USB support for USB peripherals and USB gadgets while locked via Android 16 Advanced Protection feature. It also has a device admin API for disabling USB at a software level through device admin apps, which could implement disable it while locked but cannot provide support for still using a USB device connected while unlocked to make it much more usable. None of that provides comparable protection to the GrapheneOS USB protection feature, which is one small part of the overall GrapheneOS exploit protections.

By default, GrapheneOS blocks new USB connections at a software AND hardware level when the device is locked and then disabling USB data once existing connections end. You can get similar software level functionality via the Android 16 Advanced Protection feature but not the hardware-level protection or the many other exploit protections in GrapheneOS.

https://grapheneos.org/features#exploit-protection explains what's improved compared to standard Android 16. It's not documentation on Android + GrapheneOS features but rather only what GrapheneOS improves.

7. strcat ◴[01 Nov 25 04:28 UTC] No.45779247[source]
That standard Android toggle doesn't turn off USB support at the OS level but rather controls the default USB gadget mode. USB gadget functionality is one part of the high level USB functionality. That doesn't block USB peripherals, USB-C alternate modes, etc. and leaves nearly all the kernel attack surface being exploited by Cellebrite intact.

See https://news.ycombinator.com/item?id=45779241 which explains this.

replies(1): >>45779290 #
8. strcat ◴[01 Nov 25 04:28 UTC] No.45779248[source]
That standard Android toggle doesn't turn off USB support at the OS level but rather controls the default USB gadget mode. USB gadget functionality is one part of the high level USB functionality. That doesn't block USB peripherals, USB-C alternate modes, etc. and leaves nearly all the kernel attack surface being exploited by Cellebrite intact.

See https://news.ycombinator.com/item?id=45779241 which explains this.

replies(1): >>45781275 #
9. strcat ◴[01 Nov 25 04:34 UTC] No.45779276[source]
That's the standard Android behavior for the USB gadget mode, not something specific to LineageOS, and it does not mean USB is in a charging-only mode but rather than no USB gadget functionality such as file transfer (MTP) is active. It does not mean USB peripherals and USB-C alternate mode are disabled, which certainly work in the default charging-only mode for Android's USB gadget setting. It doesn't even mean that USB gadget mode is fully disabled, only that it's in the MTP mode with MTP disabled. There's a slight difference between the regular and and more advanced setting: MTP mode with MTP disabled vs. no active USB gadget. The USB protection feature on GrapheneOS is for blocking new USB connections as a whole at both a software and hardware level and disabling USB data at a hardware level vs. that setting only controlling USB gadget mode. Most of the attack surface is in the USB protocol implementation and especially the USB peripheral drivers which are not disabled in the default mode Android calls charging-only since it's about USB gadget mode, i.e. using the phone itself as a peripheral.
replies(1): >>45786417 #
10. tranq_cassowary ◴[01 Nov 25 04:38 UTC] No.45779290{3}[source]
Thanks, I was confusing it with the Advanced Protection feature.
11. linux_modder ◴[01 Nov 25 12:33 UTC] No.45781153[source]
With Grapheneos no need for developer options however. It's in the usual menu in the exploit protections submenus.
12. giantg2 ◴[01 Nov 25 12:56 UTC] No.45781275{3}[source]
Sorry, I had the wrong terminology.
13. giantg2 ◴[01 Nov 25 12:57 UTC] No.45781283{3}[source]
I had the wrong terminology. Your sibling comment explains it better.
14. andrepd ◴[01 Nov 25 23:23 UTC] No.45786417{3}[source]
Got it, that makes sense! Thanks for explaining :)