Cellebrite can unlock most Android phones but can't unlock most iPhones

t3chg33k · Jul 20, 2024

Came up in the context of the Trump shooter's phone being unlocked in 40 minutes by Cellebrite. Basically any powered on Android phone can be hacked with Pixels being the exception when they are powered down.

Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 minutes - 9to5Mac

Earlier this week, the FBI announced that it had accessed the locked phone of Thomas Matthew Crooks, the man who...

9to5mac.com

Cellebrite can't unlock most iPhones running iOS 17.4 and later - 9to5Mac

Leaked documents reveal that Cellebrite can’t unlock iPhones running iOS 17.4 and later, at least as of the date of...

9to5mac.com

All iPhones running iOS 17.4 and above cannot be unlocked at present which also brings to light the issue with most Android phones not getting the latest security updates. Also the fact that Samsung introduced vulnerability that otherwise didn't exist in Android.

TEUser2K1 · Jul 20, 2024

Wonder whether he used Samsung's Knox / private folder policies.

Mukeshmeena · Jul 20, 2024

t3chg33k said:
Came up in the context of the Trump shooter's phone being unlocked in 40 minutes by Cellebrite. Basically any powered on Android phone can be hacked with Pixels being the exception when they are powered down.

Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 minutes - 9to5Mac

Earlier this week, the FBI announced that it had accessed the locked phone of Thomas Matthew Crooks, the man who...

9to5mac.com

Cellebrite can't unlock most iPhones running iOS 17.4 and later - 9to5Mac

Leaked documents reveal that Cellebrite can’t unlock iPhones running iOS 17.4 and later, at least as of the date of...

9to5mac.com

All iPhones running iOS 17.4 and above cannot be unlocked at present which also brings to light the issue with most Android phones not getting the latest security updates. Also the fact that Samsung introduced vulnerability that otherwise didn't exist in Android.

It can open Iphone too. As previously we went on searches (Income tax raid) so I use to ask forensic guy. Can you guys take data from iphone too by using cellebrite. They said yes. But the cost for that was too high. And they didn't possess that. We didn't need it ever because assessee use to unlock his phone and give us without any hassles.

Heisen · Sunday at 9:05 AM

Apple takes security seriously, that's why an exploit of iOS is valued much higher than any android. I assume that cracking companies do have some exploits which are not known to the open world and can indeed open iPhones.

t3chg33k · Sunday at 10:53 AM

Mukeshmeena said:
It can open Iphone too. As previously we went on searches (Income tax raid) so I use to ask forensic guy. Can you guys take data from iphone too by using cellebrite. They said yes. But the cost for that was too high. And they didn't possess that. We didn't need it ever because assessee use to unlock his phone and give us without any hassles.

Yeah, the current iPhone info is from their leaked documents and they have not managed to get into 17.4 yet while ones up to iPhone 11 are hackable due to hardware vulnerabilities. But then the loopholes are closed as they are found.

TEUser2K1 said:
Wonder whether he used Samsung's Knox / private folder policies.

If it is a relative mid to high end phone then Knox is enabled by default. What I had read in the past is that they are still able to clone the complete filesystem from Android phones, which then gives them unlimited attempts to brute force the password.

ibose · Sunday at 11:10 AM

Umm.. it is a little difficult to trust those leaks. Then there is Graykey

t3chg33k · Sunday at 11:38 AM

ibose said:
Umm.. it is a little difficult to trust those leaks. Then there is Graykey

That is a general list of devices and OS versions but then you wouldn't get these companies to acknowledge in general what they are capable of. In this case, Cellibrite at least acknowledged that the leaked documents are real.

Going by that, all iPhones on 17.4 cannot be unlocked presently. iPhone 12 onwards cannot be unlocked since iOS 17.1 whereas those up to iPhone 11 can be unlocked till 17.3.1. All 16.x and 17.0 iPhones can be unlocked.

ibose · Sunday at 11:47 AM

t3chg33k said:
Cellibrite at least acknowledged that the leaked documents are real.

And the reason they would do that is just hide the exploit they are using. It is a cat and mouse game after all. There is nothing which is unbreakable today. Interesting read -

Inside the quest for unbreakable encryption

Cryptographers want encryption schemes that are impossible for tomorrow’s quantum computers to crack. There’s only one catch: they might not exist.

$www.technologyreview.com$ www.technologyreview.com

t3chg33k · Sunday at 11:56 AM

ibose said:
And the reason they would do that is just hide the exploit they are using. It is a cat and mouse game after all. There is nothing which is unbreakable today.

It is. They put the status as "In research" for 17.4 so only they know how much they have progressed.

On Apple's part, it has been using the Whitehat community for the Cellebrite/Greykey exploits and offering generous amounts to jailbreakers to report the exploit rather than releasing it, so it is a proactive cat in that regard. Also they at least took FBI to court.

ibose · Sunday at 12:26 PM

t3chg33k said:
On Apple's part, it has been using the Whitehat community for the Cellebrite/Greykey exploits and offering generous amounts to jailbreakers to report the exploit rather than releasing it, so it is a proactive cat in that regard. Also they at least took FBI to court.

Moot when devices exist which can break the encryption and are being actively used by the law enforcement agencies. That is the selling point for those companies after all so they will always keep ahead of the fat cat. We will never be privy to the "truth" unless you really want to believe what they admit or you work for one of those acronym agencies.
Personally I am least bothered by all of this but would focus on more pressing matters.

TEUser2K1 · Sunday at 1:41 PM

t3chg33k said:
If it is a relative mid to high end phone then Knox is enabled by default.

I think it is available by default, but to use it one have to configure it.
I generally enable and use this for apps with sensitive data, but one need to set it up.

variablevector · Sunday at 4:15 PM

Most Americans own iPhones and not Android devices, you would think companies like this would target and focus on having exploits for Apple devices first because the average phone from John Doe that law enforcement will ask them to unlock is more likely to be an iPhone.

And while I can believe iPhones are somewhat more secure and that is why we see fewer exploits for them. I also believe that there are probably many 0day exploits for iPhones that these companies are very secretive about and don't want to even hint at having access to.

t3chg33k · Sunday at 4:18 PM

ibose said:
Moot when devices exist which can break the encryption and are being actively used by the law enforcement agencies. That is the selling point for those companies after all so they will always keep ahead of the fat cat. We will never be privy to the "truth" unless you really want to believe what they admit or you work for one of those acronym agencies.
Personally I am least bothered by all of this but would focus on more pressing matters.

The whole point is that law enforcement agencies can't break the encryption themselves. The San Bernardino case for which Apple took the FBI to court was about FBI trying to force Apple to unlock a device. Since then, they switched to using these third party services.

It is amusing you are linking to the old Apple Photos story as the cause for that was specifically explained which is that photos are soft deleted until they are overwritten on the device and a device backup done during that time results in these soft deleted photos being carried over, which in this case was visible again due to database corruption.

Apple elaborates on iOS 17.5 bug that resurfaced deleted photos - 9to5Mac

Earlier this week, Apple released iOS 17.5.1 to address a rare problem where deleted photos would reappear on a user’s...

9to5mac.com

TEUser2K1 said:
I think it is available by default, but to use it one have to configure it.
I generally enable and use this for apps with sensitive data, but one need to set it up.

That's true at the app level for Secure Folder but Knox itself operates at the hardware level.

What is Samsung Knox? | Samsung Security | Samsung UK

Learn all about Samsung Knox Security, why it’s crucial to protect your data & how to enable it on your device. Keep your information private at Samsung UK.

www.samsung.com

However, it is still possible to just dump the entire filesystem on Android phones, find the password and then use it on the device itself to decrypt.

https://www.reddit.com/r/privacy/comments/18bu3a2

ibose · Sunday at 7:43 PM

t3chg33k said:
The whole point is that law enforcement agencies can't break the encryption themselves.

So ? What difference does it make ? Nothing, when devices exist which can do exactly that and most law enforcement agencies own one. Yes, they went to court on that San Bernardino case and the end outcome is that there is even more prolific usage of these third party tools.

t3chg33k said:
It is amusing you are linking to the old Apple Photos story as the cause for that was specifically explained which is that photos are soft deleted until they are overwritten on the device and a device backup done during that time results in these soft deleted photos being carried over, which in this case was visible again due to database corruption.

My point is that instead of focusing on this clickbait "news" based on "leaks", it is better to focus on issues which matter and are evident. I linked to an issue which they had to fix, it is as simple as that. I don't need an explanation on what caused it, but as an Apple user, I would rather, they focused on preventing such occurrences.

t3chg33k · Monday at 11:45 AM

ibose said:
So ? What difference does it make ? Nothing, when devices exist which can do exactly that and most law enforcement agencies own one. Yes, they went to court on that San Bernardino case and the end outcome is that there is even more prolific usage of these third party tools.

My point is that instead of focusing on this clickbait "news" based on "leaks", it is better to focus on issues which matter and are evident. I linked to an issue which they had to fix, it is as simple as that. I don't need an explanation on what caused it, but as an Apple user, I would rather, they focused on preventing such occurrences.

The point of the thread was to highlight unauthorized access to personal devices. It matters a lot to people in certain professions like journalists or even those who can have their devices captured for expressing dissenting views and then have their phone usage used against them legally.

The Photos issue is fine to highlight but it is a software issue that is replicated on another device where backup is restored using the same ID and thus has nothing to do with unauthorized access.