It's never been easier for the cops to break into your phone (opens in new tab)

(theverge.com)

54 pointsDeepPhilosopher1y ago31 comments

31 comments

Does anyone know how much of a black box these cellebrite (or competitor) systems are?

Like if we could get some into the hands of the best reverse engineers in software and hardware, how difficult might it be to figure out the methods by which they gain access (aside from standard brute force and the like)? Are these unreleased zero day software exploits? Or something that anyone with enough knowledge of of the hardware system could implement with say a few million dollars and a small team of capable people? How are updates delivered? Do we know that the devices don't provide remote access to the vendor themselves?

hollow-moe1y ago

A french youtuber got their hands on one and they say the device itself isn't protected at all ! https://www.youtube.com/watch?v=lVx5auDj7Hs

aesh2Xa11y ago

Signal reported on their access in 2021 as well:

https://signal.org/blog/cellebrite-vulnerabilities/

https://cyberlaw.stanford.edu/blog/2021/05/i-have-lot-say-ab...

rasz1y ago

Got his hands on one and all he could muster is a talking head video?

worthless-trash1y ago

I don't imagine they are super hard, if they require wifi or usb or JTAG access, you can just dump it and figure out what it is doing, its not going to be any harder than reversing any other explotiation technique.

There would be thousands, if not tens of thousands of people in the world who can do it. Its much harder to create the exploit than to reverse it.

rasz1y ago

Older system:

Cellebrite UFED Cellphone Forensic Extraction Device Teardown https://www.youtube.com/watch?v=7LLGGCXH9MQ

UFED - its right in the name :] Video has little demonstration with older phones, one click bypass for all passcodes.

nxobject1y ago

It's a pity that we (likely including the journalist) don't know more about how the cops got access to the iPhone beyond cloud backups: the one thing I'm taking away from this article is that passcodes can still be brute forced.

Terretta1y ago

Well, look what vectors Apple thinks are used (most while you keep using it, some physical):

https://support.apple.com/en-us/105120

worthless-trash1y ago

I think that bruteforcing the passcode is an unlikely attack vector, if they do "brute force it" it likely wont be with apples OS running, it would be some kind of custom attack.

blitzar1y ago

Image device -> run image in emulator -> try 5 passcodes -> get blocked -> reload image -> try 5 passcodes -> get blocked -> ... -> try 5 passcodes -> unlock phone.

2 more replies

treebeard9011y ago

Along with this, the ISPs, phones and services online all have a close relationship with those requesting access from law enforcement. Rarely would most put up a fight for you or anyone else if your information was requested.

There are numerous ways for LE to view and manipulate your online experiences. Your phone can be viewed remotely like remote desktop over your cell connection without your knowledge. Defeating all end to end encryption in the process.

LE is given access to your application APIs and can control the results you get from job searches, your YouTube recommended videos and even the advertisements you are served.

Now you may think there are protections and they need a warrant. They do not in many cases. Most important to understand is that LE only has to follow the law and the rules if they want to use information they collect against you in court. Most requests do not go this far. So it is wide open for your information.

Even getting your phone and getting into it is easier than ever. However once you get here odds are it will face scrutiny in court.

I am hopeful a lot of this will continue coming out and being verified more officially. We live in a surveillance state and most people need to be educated about it.

hairball01y ago

This is very interesting. Would you be able to point to sources where we can learn more about these capabilities? A friend who is usually quite rational has lately been insisting this is happening to them (remote monitoring, harassment via search results and anything with an algorithmic feed). They haven't done anything wrong, but may have gotten on the wrong side of well-connected people, and are now concerned things could escalate (e.g. framing). If there were any indicators on their devices or elsewhere that they could look for, it could be helpful.

filoleg1y ago

Is there any info yet on what kind of a phone the attacker had?

I still cannot find any article about this incident explicitly mentioning not even a specific model, but just whether it was Android or iOS at all.

While most of them keep referencing that old San Bernardino story where the attackers had an iPhone with an outdated security model even for the time of the incident (it was iPhone 5c iirc).

millzlane1y ago

Try sorting by date and using an exclusion operater for San Bernardino.

filoleg1y ago

Looks like there is now a confirmation[0] that it was an Android phone.

0. https://9to5mac.com/2024/07/18/trump-shooter-android-phone-c...

BXLE_1-1-BitIs11y ago

Don't know Apple, but Androids can be put into Bootloader and Recovery without password or pin. Most Recovery[s] give you access to the file system (if not, Bootloader can be used to install your own Recovery). Extract the files and run through whatever software you have for decryption.

plingbang1y ago

Can you name a single Android phone or tablet model that is <10 y.o. for which you can access personal data with this method?

kees991y ago

Nexus 6 (late 2014), as well as rare Nexus 5X (2015), where owner enabled "OEM unlock" option.

Obscure Chinese brands made such android phones for few more years.

All Google Pixels (2016 and later), and virtually any android phone made after circa 2018 are safe from naive bootloader attack: user data is encrypted, plus you have to "OEM unlock" to even get the recovery to run.

BXLE_1-1-BitIs11y ago

My mistake. Most of my Android devices are unlocked.

ChrisArchitect1y ago

tl;dr

The FBI made a note that they accessed the phone, shared widely etc, https://www.fbi.gov/news/press-releases/update-on-the-fbi-in... , there isn't any other information regarding the case.

j / k navigate · click thread line to collapse

31 comments

twojacobtwo1y ago

Does anyone know how much of a black box these cellebrite (or competitor) systems are?

hollow-moe1y ago

A french youtuber got their hands on one and they say the device itself isn't protected at all ! https://www.youtube.com/watch?v=lVx5auDj7Hs

aesh2Xa11y ago

Signal reported on their access in 2021 as well:

https://signal.org/blog/cellebrite-vulnerabilities/

https://cyberlaw.stanford.edu/blog/2021/05/i-have-lot-say-ab...

rasz1y ago

Got his hands on one and all he could muster is a talking head video?

worthless-trash1y ago

There would be thousands, if not tens of thousands of people in the world who can do it. Its much harder to create the exploit than to reverse it.

rasz1y ago

Older system:

Cellebrite UFED Cellphone Forensic Extraction Device Teardown https://www.youtube.com/watch?v=7LLGGCXH9MQ

UFED - its right in the name :] Video has little demonstration with older phones, one click bypass for all passcodes.

nxobject1y ago

Terretta1y ago

Well, look what vectors Apple thinks are used (most while you keep using it, some physical):

https://support.apple.com/en-us/105120

worthless-trash1y ago

I think that bruteforcing the passcode is an unlikely attack vector, if they do "brute force it" it likely wont be with apples OS running, it would be some kind of custom attack.

blitzar1y ago

Image device -> run image in emulator -> try 5 passcodes -> get blocked -> reload image -> try 5 passcodes -> get blocked -> ... -> try 5 passcodes -> unlock phone.

2 more replies

treebeard9011y ago

LE is given access to your application APIs and can control the results you get from job searches, your YouTube recommended videos and even the advertisements you are served.

Even getting your phone and getting into it is easier than ever. However once you get here odds are it will face scrutiny in court.

I am hopeful a lot of this will continue coming out and being verified more officially. We live in a surveillance state and most people need to be educated about it.

hairball01y ago

filoleg1y ago

Is there any info yet on what kind of a phone the attacker had?

I still cannot find any article about this incident explicitly mentioning not even a specific model, but just whether it was Android or iOS at all.

While most of them keep referencing that old San Bernardino story where the attackers had an iPhone with an outdated security model even for the time of the incident (it was iPhone 5c iirc).

millzlane1y ago

Try sorting by date and using an exclusion operater for San Bernardino.

filoleg1y ago

Looks like there is now a confirmation[0] that it was an Android phone.

0. https://9to5mac.com/2024/07/18/trump-shooter-android-phone-c...

BXLE_1-1-BitIs11y ago

plingbang1y ago

Can you name a single Android phone or tablet model that is <10 y.o. for which you can access personal data with this method?

kees991y ago

Nexus 6 (late 2014), as well as rare Nexus 5X (2015), where owner enabled "OEM unlock" option.

Obscure Chinese brands made such android phones for few more years.

BXLE_1-1-BitIs11y ago

My mistake. Most of my Android devices are unlocked.

ChrisArchitect1y ago

tl;dr

The FBI made a note that they accessed the phone, shared widely etc, https://www.fbi.gov/news/press-releases/update-on-the-fbi-in... , there isn't any other information regarding the case.

j / k navigate · click thread line to collapse