Leaked Docs Show What Phones Cellebrite Can and Can't Unlock

Cellebrite, the well-known mobile forensics company, was unable to unlock a sizable chunk of modern iPhones available on the market as of April 2024, 404 Media reported Wednesday, citing leaked documents it obtained. From the report: Mobile forensics companies typically do not release details on what specific models their tools can or cannot penetrate, instead using vague terms in marketing materials. The documents obtained by 404 Media, which are given to customers but not published publicly, show how fluid and fast moving the success, or failure, of mobile forensic tools can be, and highlights the constant cat and mouse game between hardware and operating manufacturers like Apple and Google, and the hacking companies looking for vulnerabilities to exploit.

[...] For all locked iPhones able to run 17.4 or newer, the Cellebrite document says "In Research," meaning they cannot necessarily be unlocked with Cellebrite's tools. For previous iterations of iOS 17, stretching from 17.1 to 17.3.1, Cellebrite says it does support the iPhone XR and iPhone 11 series. Specifically, the document says Cellebrite recently added support to those models for its Supersonic BF [brute force] capability, which claims to gain access to phones quickly. But for the iPhone 12 and up running those operating systems, Cellebrite says support is "Coming soon."

Still remember: Do not trust your phone

[gweihir]

Regardless of brand, OS and version. For example, a primary reason for a removable battery is to be able to reliably (!) switch a phone off.

Re: Still remember: Do not trust your phone

[Samuel Silverstein]

Seems they struggle with graphene os. No Google stuff in it by default, but you can install it and have it heavily sandboxed. Plus you get a ton of control over what apps have access to, well beyond what stock Android provides. WhatsApp thinks it has access to my contacts, but it really doesn't.

Re:

[AmiMoJo]

The vulnerabilities have nothing to do with Google apps, not having those won't help you. It's mostly down to the phone's firmware, the bootloader and the way it stores the encryption keys for the flash memory.

Modern versions of Android have a system where the OS is encrypted with one key so that the phone can boot up, and then another key is required to unlock the user's data files. The keys are normally stored in a secure part of the phone's SoC, which also contains the CPU and various peripherals.

So eith

Re: Still remember: Do not trust your phone

[Samuel Silverstein]

That's nice and all but they literally claim that they haven't been able to break graphene os since an old 2022 release. If they're attacking it at a lower level, then the OS wouldn't even be relevant, so why bother mentioning it? They also make clear distinctions between devices in AFU and BFU states.

Re: Still remember: Do not trust your phone

[Samuel Silverstein]

Also graphene by default reboots the phone if you haven't successfully unlocked it within the last 18 hours. In a situation like this, it likely would have been BFU by then.

Re:

[AmiMoJo]

Because they are saying that if the phone is booted up and was initially unlocked, they can get into some versions of the OS that way, even if they can't get past the firmware. On the other hand, if they can't get into the OS, they may be able to hack the firmware.

Re: Still remember: Do not trust your phone

[Samuel Silverstein]

You might want to look up what AFU and BFU mean. After that, have a look at the charts. What do they say about both states when it comes to graphene os?

Paywall

[io333]

Linkers of paywalls go to Pound-Me-In-The-Ass-Federal-Prison

Re:Paywall

[icejai]

https://archive.is/qgBWB [archive.is]

Physical access to the hardware

[MikeDataLink]

Once you have physical access to the hardware, getting in becomes far easier.

Re:

[Malay2bowman]

Despite the encryption the US government has, they still require any discarded storage media to be shredded up and for a good reason.

Does Apple fix the flaws?

[jonwil]

Does Apple fix (or try to fix) any security flaws that allow these devices to get into their phones?

Re:Does Apple fix the flaws

[UnknowingFool]

The current iOS 17 appears to have releases at least once a month. It was first launched in September 2023 with the currrent minor version being 17.5.1 as of May 20, 2024. It seems to be an ongoing battle between Apple and Cellebrite when it comes to security patches.

Re:

[omnichad]

Why do you think these docs are only public when leaked? They go out of their way to not let Apple know about the security flaws that pays their bills.

Also that would be very clearly why 17.4 is currently not unlockable.

Re: Does Apple fix the flaws?

[Samuel Silverstein]

I wouldn't count on it.

Re: Does Apple fix the flaws?

[gnasher719]

Since they cannot attack ios 17.4 right now, there will be some code change from iOS 17.3 that prevents some attack, either intentionally or unintentional.

Unintentional would be: Apple dev finds a bug and fixes it, without thinking too much about the consequences of the bug. Itâ(TM)s wrong, so you fix it. Or: Thereâ(TM)s a bug that allows changing memory location X, and changing X is an attack vector. Some random code change leaves the bug, but it now changes location Y, which is harmless. Y might be inside a decoded image so all you get is some pixels incorrect, while X was inside an undecoded image and exploits a bug in the decoder.

Doubt this applies to their Premium Service

[bubblyceiling]

Based on the matrix for iOS, these are the same limitations as for "checkm8", which is very widely used exploit and is well known. As such these limitations sound like they would only apply to their standard UFED Kit.

The cloud based "Premium Service" probably costs a lot more and I find it very hard to believe that they would be relying on checkm8 for that. In all likelihood they have some 0-days lined up for customers willing to pay. As the article also says

... Cellebrite Premium, a service that either gives the client’s UFED more capabilities, is handled in Cellebrite’s own cloud, or comes as an “offline turnkey solution,” according to a video on Cellebrite’s website. That video says that Cellebrite Premium is capable of obtaining the passcode for “nearly all of today’s mobile devices, including the latest iOS and Android versions.”

Re:

[omnichad]

nearly all of today’s mobile devices, including the latest iOS and Android versions

Very weasely wording. They could mean nearly all of the latest iOS and Android versions rather than just nearly all of the hardware.

Re: Doubt this applies to their Premium Service

[Samuel Silverstein]

It appears they're targeting OS exploits. The reason I say that is they (and others) have claimed they're not able to crack grapheneos devices since an old 2022 release. Yet no hardware devices actually ship with grapheneos.

It's a trap!

[skaag]

There's no phone they can't unlock. There's always some trick, some vulnerability, and it's just a matter of having a determined hacker work on the device for long enough. This is just a ruse to give criminals and terrorists a false sense of security.

Re:

[Kiaser Zohsay]

This is just a ruse to give criminals and terrorists a false sense of security.

And us, too.

Re:It's a trap!

[Rujiel]

"Criminals and terrorists", are you talking about Cellebrite? They work closely with the Israeli government and other human rights violators, after all. https://www.timesofisrael.com/... [timesofisrael.com]

Re:

[Pinky's Brain]

Cost of exploit is an excellent barrier.

That said, unless your battery died Feds can just go to Apple and say "how does your liveliness detection work" and use the biometric unlock.

Joke's on them, my phone doesn't even lock

[Rick Schumann]

Still not owning a smartphone. $40 plastic semi-dumbphone (runs a very stripped-down version of Android). Every month that passes I seem to have even more reasons to never own a smartphone, and the list of reasons to get one never increases. Also enjoying that whopping $25 per month to use it.

Re:

[UnknowingFool]

How do you send E2EE messages or do you just not bother with that phone?

Re:

[Rick Schumann]

*shrug* I don't.

I pay for Proton email since I got fiber internet, and that's E2EE, but I don't even consider that to be secure.

If I want 'secure communications' I'll have a F2F conversation with someone, but considering that I'm not an intelligence operative or a criminal, there's very little I ever have to discuss with anyone that's so sensitive I'd worry about being surveilled.

Also what makes you think your smartphone is in any way shape or form secure, regardless of what 'app' you use? Your phone com

Re:

[omnichad]

Which just means that's not where your secrets are stored. Either you have to hide your paper really well or you are using some other electronic device.

Re:

[Rick Schumann]

If I have any secrets, they're in my head and nowhere else. Even if you seize all my computers all you're going to find are some very meticulous records of what I eat every day, and a rather sad little collection of porn clips.

Re:

[registrations_suck]

Congratulations!!

I only pay $12.50/month to use my phone.

Re:

[Malay2bowman]

Reminds me of the 'Annedroyids'(not an actual name) which were just gussied up feature phones with a touchscreen and UI specifically crafted in hopes in tricking buyers into thinking they were getting an actual Android phone instead of the J2ME running crap they were trying to replace. Kind of like selling a Magnetbox or a Sorny.

Re:

[Rick Schumann]

Except I wasn't fooled into anything, I specifically chose a non-smartphone. Doesn't even have a touchscreen (thankfully. I hate touchsceens). It's about as close to an old Nokia phone as you can get without being an old Nokia phone. The only thing I don't care for is multi-tap for text messages, can be really tedious at times.

How is this not a DMCA violation?

[illogicalpremise]

Even as a foreigner, if I sold a tool to decrypt a commercial encryption scheme to Americans I'd be violating the DMCA right? Is what they are doing specifically exempt or are they just getting away with it because the government chooses to turn a blind eye? Why do I risk jail for hacking my tractor but they can legally break into a strangers phone?

Re: How is this not a DMCA violation?

[gnasher719]

The DMCA is about copyright violations. And you can go against copyright violators. But making tools is not part of DMCA.

The unabomber claimed that publishing his blackmail letters (to catch him) was copyright violation. Which was basically admitting guilt, because only the copyright holder can sue.

Re:

[Malay2bowman]

"For thee but not for me". The butt end of a double standard always applies to the plebs.

Better link

[bill_mcgonigle]

https://superchargednews.com/2... [superchargednews.com]

No email signup nonsense to read.

But tldr: iOS 17.4+ or Pixel 6/7/8.

Great wording

[gnasher719]

"Supports iPhone XR and iPhone XSâ. Itâ(TM)s not quite what I would call âoesupportingâ.

But they cannot hack iPhone 12 and newer. Thatâ(TM)s four complete generations. I assume there is hardware in an iPhone 11 that they can attack and that apple cannot fix for less than the price of an iPhone 12 on eBay.

Android differences?

[schweini]

For me, the interesting part is that Pixel 6 is protected, but other more recent Androids lie the S24 are not.
Since they are all running the same basic Android versions, I'd LOVE to know what the diferences are.