Someone Snuck Into a Cellebrite Microsoft Teams Call and Leaked Phone Unlocking Details (404media.co) 56
An anonymous reader quotes a report from 404 Media: Someone recently managed to get on a Microsoft Teams call with representatives from phone hacking company Cellebrite, and then leaked a screenshot of the company's capabilities against many Google Pixel phones, according to a forum post about the leak and 404 Media's review of the material. The leak follows others obtained and verified by 404 Media over the last 18 months. Those leaks impacted both Cellebrite and its competitor Grayshift, now owned by Magnet Forensics. Both companies constantly hunt for techniques to unlock phones law enforcement have physical access to.
"You can Teams meeting with them. They tell everything. Still cannot extract esim on Pixel. Ask anything," a user called rogueFed wrote on the GrapheneOS forum on Wednesday, speaking about what they learned about Cellebrite capabilities. GrapheneOS is a security- and privacy-focused Android-based operating system. rogueFed then posted two screenshots of the Microsoft Teams call. The first was a Cellebrite Support Matrix, which lays out whether the company's tech can, or can't, unlock certain phones and under what conditions. The second screenshot was of a Cellebrite employee. According to another of rogueFed's posts, the meeting took place in October. The meeting appears to have been a sales call. The employee is a "pre sales expert," according to a profile available online.
The Support Matrix is focused on modern Google Pixel devices, including the Pixel 9 series. The screenshot does not include details on the Pixel 10, which is Google's latest device. It discusses Cellebrite's capabilities regarding 'before first unlock', or BFU, when a piece of phone unlocking tech tries to open a device before someone has typed in the phone's passcode for the first time since being turned on. It also shows Cellebrite's capabilities against after first unlock, or AFU, devices. The Support Matrix also shows Cellebrite's capabilities against Pixel devices running GrapheneOS, with some differences between phones running that operating system and stock Android. Cellebrite does support, for example, Pixel 9 devices BFU. Meanwhile the screenshot indicates Cellebrite cannot unlock Pixel 9 devices running GrapheneOS BFU. In their forum post, rogueFed wrote that the "meeting focused specific on GrapheneOS bypass capability." They added "very fresh info more coming."
"You can Teams meeting with them. They tell everything. Still cannot extract esim on Pixel. Ask anything," a user called rogueFed wrote on the GrapheneOS forum on Wednesday, speaking about what they learned about Cellebrite capabilities. GrapheneOS is a security- and privacy-focused Android-based operating system. rogueFed then posted two screenshots of the Microsoft Teams call. The first was a Cellebrite Support Matrix, which lays out whether the company's tech can, or can't, unlock certain phones and under what conditions. The second screenshot was of a Cellebrite employee. According to another of rogueFed's posts, the meeting took place in October. The meeting appears to have been a sales call. The employee is a "pre sales expert," according to a profile available online.
The Support Matrix is focused on modern Google Pixel devices, including the Pixel 9 series. The screenshot does not include details on the Pixel 10, which is Google's latest device. It discusses Cellebrite's capabilities regarding 'before first unlock', or BFU, when a piece of phone unlocking tech tries to open a device before someone has typed in the phone's passcode for the first time since being turned on. It also shows Cellebrite's capabilities against after first unlock, or AFU, devices. The Support Matrix also shows Cellebrite's capabilities against Pixel devices running GrapheneOS, with some differences between phones running that operating system and stock Android. Cellebrite does support, for example, Pixel 9 devices BFU. Meanwhile the screenshot indicates Cellebrite cannot unlock Pixel 9 devices running GrapheneOS BFU. In their forum post, rogueFed wrote that the "meeting focused specific on GrapheneOS bypass capability." They added "very fresh info more coming."
Were they invited by Mike Waltz or Pete Hegseth? (Score:1, Offtopic)
no need to "sneak in" if you're invited or added
Professional unethical for-profit hackers hacked (Score:3)
Poetic justice.
Re: (Score:1)
"Cellebrite DI Ltd. is a digital forensics company headquartered in Petah Tikva, Israel"
No comment.
"On 12 January 2017, it was reported that an unknown hacker had acquired 900 GB worth of confidential data from Cellebrite's external servers."
Oof!!!
Don't bother clicking on the link (Score:5, Informative)
It's for "paid subscribers" only, like all of the 404 Media stuff that gets spammed here.
Re:Don't bother clicking on the link (Score:5, Funny)
Wouldn't that make them 402 Media?
Re: (Score:2)
I like that! We should start calling them that...
Re: (Score:3)
I think it's time Slashdot creates a content blacklist. 404 Media should be right at the top.
Either that or the editors could do their fucking jobs.
Re: Don't bother clicking on the link (Score:4, Insightful)
Their job is to piss us off to increase engagement. They're doing it.
Re: (Score:2)
Either that or the editors could do their fucking jobs.
They are doing their jobs.
Their job is to post the stories that gets them paid. Seeing as 404 media is a nobody that no one's heard of except here, I surmise 404 is paying Slashdot for exposure.
A Slashvertisement, if you will.
Re: (Score:1)
I don't like it but the site does have to get paid for somehow.
I think they do at least try to select for stories that are interesting. Like this one for example.
Re:Don't bother clicking on the link or is it (Score:1)
Re: (Score:3)
Ars Technica has a photo of the slide in question...
https://arstechnica.com/gadget... [arstechnica.com]
Basically all Pixel phones can be unlocked, but ones running GrapheneOS are locked.
The takeaway (Score:3)
Re: (Score:2)
So a reboot before going to places like customs etc can defeat these tools
Customs would be an example of an agency that does not need something like Celebrite for routine searches.. only in extreme cases would they.
If you power off your phone or reboot it or have it locked going through customs: Customs holds you at the gate and requires you to provide the passcode to unlock the phone or laptop. If you fail to provide the passcode: they seize the device, and you at the border. If they demand to search
Re:The takeaway (Score:5, Informative)
Re: (Score:3)
In theory, you are correct.
Alternatively, you could always become an unwilling participant in a secret govt security program.
Re: (Score:2, Informative)
From a discussion with Kyle Courtney. The legal landscape at the border is ever changing, especially now.
Kyle Courtney, who teaches about cybersecurity and cyberlaw at Northeastern University, says the question of legality and rights is complex at the border.
Courtney also says travelers who are concerned about their phones being searched should be mindful of what kind of password they have on their device. Increasingly, the courts have started to distinguish between a passcode and facial recognition and fingerprint scans.
“Verbally providing your password is considered compulsion of your testimony. If you’re speaking, that is protected by the Fifth Amendment,” Courtney says. “The physical act of providing a fingerprint is not testimonial according to some courts and, therefore, not protected by the Fifth Amendment.”
“People are like, ‘The Fourth Amendment protects me. The Fifth Amendment protects me.’ Yes, but this is a big exception,” Courtney says. https://news.northeastern.edu/... [northeastern.edu]
Re:The takeaway (Score:5, Insightful)
Your country is wierd and scary.
Re: (Score:2)
Re: The takeaway (Score:4, Informative)
They said ice wasn't grabbing citizens but they're well over 100 on that now so your optimism is misplaced. They don't have to do anything. They could do anything with you.
Re: (Score:2)
Good theory.
We'll see how you feel about it after a few weeks in solitary confinement.
Re: (Score:2)
We are also not legally allowed to just kill people accused of trafficking drugs -but we do.
"Enhanced interrogation techniques" will convince anyone to volunteer their passcode. Legal justifications will come later or not at all.
Once the feds notice you, you will not be able to talk your way out of it. Citizen or no.
Re: (Score:2)
Notable point: If you are a US citizen they might seize the device but you WILL be admitted into the country - a citizen cannot be denied entry.
If you don't cooperate with the search.. In theory you will be allowed entry as a citizen - probably yes - you just may be inside the US but in jail: without the property, and potentially you could possibly be on your way after a few days in detention -- Or possibly longer due to additional things officials are going to find to charge you with in retaliation for
Re: (Score:2)
What if you don not have the codes for let say a company device? A company with trade secrets would be wise to give the traveler the unlock code only after the arrival.
Re: (Score:2)
What if you don not have the codes for let say a company device?
I'm sure you could explain that to customs most likely, And they would probably let you go, but the device stays behind with customs until they can get into it. They will just hold the property as potential contraband until someone from the company calls and provides them access to search the contents of it.
A company with trade secrets does not allow them to be stored at rest on a laptop being flown overseas -- you probably have to acesss
Re: (Score:2)
I wonder how vulnerable the really small android makers are? I mean, the majority of android owners use Google or Samsung phones. What if you're using a Xaomi or Motorola or whatever? Have Celebrite invested the time to figure out how to crack them all?
Re: The takeaway (Score:2)
Re: (Score:2)
Agreed, but you'd still have to (I assume) reverse engineer each one differently, wouldn't you?
Maybe the lesser phones are a Professional Services engagement rather than a product solution? Would be fun to find out :-)
Re: (Score:2)
In case anyone else is wondering, it does seem the summary is misleading at the end. The table indicates that before first unlock they can only get a small amount of data - the OS and some info about installed apps, no user data. (The summary says Pixel 9 is "supported" BFU, but that is only what cellebrite apparently calls "BFU data" not full file system (FFS).) So, as parent states, none of the Pixel devices listed are vulnerable to full access from a cold state.
Re: (Score:2)
Due to a thing called "rubber hose cryptoanalysis", the actual advice is to not have secrets that must be protected on your phone or not to go to places that can force an unlock (and there are many of those places). Relying on tech when they might be torturing you is pretty disconnected from the real world. And many states, including some surprising ones, are willing to torture in various forms.
GrapheneOS has a duress password/pin (Score:2)
You can enter that, and it will erase the device then reboot, leaving the OS in a fresh state.
Re:GrapheneOS has a duress password/pin (Score:4, Interesting)
While I do support such a feature and find it ridiculous all operating systems don't include it, it should not work how you describe.
1). That could get you charged with destroying evidence, hindering prosecution, etc.
2). It should be more subtle. What the duress password should do is take you to a "different partition" (or something) that makes it look like you've logged in to an actively used phone that does not actually contain your real info. It has to look, smell and taste like you've actually logged into the person's device. In the meantime, your encrypted "actual partition" remains safe. This feature may required dedicated hardware to implement, I get that.
Re: (Score:2)
#2 would probably still be bypassed by Cellebrite.
Re: (Score:2)
Not necessarily.
You can be charged with such things in the absence of a pre-existing warrant.
As for Cellbrite...maybe, I dunno. I'm not well-versed in what they are doing or how they do it. I have HEARD that it takes some times to bring new devices into their suite of hackable stuff though.
Coming Soon: a new Teams feature or two (Score:2)
I foresee a new Teams feature or two coming soon.
1). Somehow disable screen shots during a Teams call.
2). Somehow notify the presenter when a participant has taken (or attempts to take) a screen shot (identifying that person by name).
Frankly, I'm surprised such features don't exist already.
Sure, someone could still take a picture with a cell phone or whatever, but don't like perfect be the enemy of good enough or at least SOMETHING to try to catch people.
Re:Coming Soon: a new Teams feature or two (Score:5, Insightful)
Most companies do not purchase nor use all of Microsoft's security features.
Re: (Score:2)
What if I I run the browser version in Firefox in linux (and X11)?
Re: (Score:2)
Ok. What if you do?
Re: (Score:2)
Teams barely worked in ff with ua switcher
Re: (Score:2)
Or, if you need the actual Tinyflaccid Teams client, run it in a VM? Or, if you need to use your company-provided box, give it a HDMI frame-grabber as a monitor?
The latter BTW is a nice solution if they force you to use (and lug around everywhere) a company-provided laptop that does nothing but Tinyflaccid Lookout and Tinyflaccid Teams.
Re: (Score:2)
Well, see there? No new ideas under the sun I guess.
Re: (Score:2)
If you're able to get yourself into a Microsoft/Celebrite teams call, I'm sure you can use an HDMI capture card.
I also wonder about Mac participants? Given the lightness of touch Microsoft exert on Mac versions of things (esp. Teams), it seems highly unlikely it would be aware of screenshotting.
Re: (Score:3)
I guess you didn't RTFA. The "screenshot" was taken with a camera of some sort. It was not a screen capture. Here it is:
https://files.catbox.moe/80kwm... [catbox.moe]
OMG, Pixels aren't safe. ! (Score:2)
Stop linking 404 media (Score:2, Insightful)
This link is paywalled. Others are privacy walled. All are clickbait.
If there is a huge leak, there will be serious sites reporting about them. Find a link and post that one. This post should not have made it to the front of Slashdot with a pay link.
Proper security (Score:3)
You have your passcode "password" which unlocks the device and allows use. This is what you give to anyone that demands access.
You have a different passcode "P@55w0rD!" that allows you proper access to your device so that you can keep all your sensitive data there.
Re: (Score:2)
Re: (Score:2)
Because this solution assumes that adversaries are uniformed.
It might work for some custom for your organization/group messaging platform that nobody knows anything about, in the even someone says "hey what's this open it up" but hidden profiles however accomplished with whatever mix to cryptography, steganography, just keeping all the data remote so you don't have to hide the local copies and changing behavior based on some login signal generally won't work for something like Signal.
If signal implemented s
Re: (Score:3)
Because this solution assumes that adversaries are uniformed.
I disagree. I don't see any clothing requirements here.
Re: (Score:2)
This idea has long since been discounted by the IT security community as unhelpful and actually dangerous.
Amateurs come up with it time and again though and always think they are smarter than all the experts. They are not.
Do stupid things, win stupid prizes... (Score:2)
In this case discussing highly confidential things over essentially unsecured channels.
Does this help GraphineOS? (Score:2)
Does this leak give GraphineOS any information it can use to make its system more secure against theses cellphone hacking tools?