42 comments

[ 2.8 ms ] story [ 64.1 ms ] thread
They couldn't answer the question most on my mind: "We’ve reached out to Google to inquire about why a custom ROM created by volunteers is more resistant to industrial phone hacking than the official Pixel OS. We’ll update this article if Google has anything to say."
Is grapheheOS actually harder to hack or does cellebrite just not put a lot of effort into supporting it because the very low odds of LEs running into one in the wild?
GrapheneOS makes security trade-off that are inconvenient to the user. This results in a far more secure device, but nonetheless a device that the general public would find far more annoying. Google would lose a proportion of its user base by implementing the same protections.

Example: https://old.reddit.com/r/GooglePixel/comments/ytk1ng/graphen...

Also Google Pay is missing.

I'd almost want to avoid GrapheneOS because it gets so much attention from law enforcement that it's probably a big target for various agencies to find vulnerabilities in.
More attention than stock android?
GrapheneOS isn't made by volunteers. They have a team of around 10 paid developers. They are a nonprofit foundation that receives donations and uses those to pay developers, infrastructure etc.

Ars Technica has update its article to rectify that mistake. It doesn't mention that anymore.

So much for all the security posturing by Google lol.
I mean, hardware is great, it's literally the only safe and secure hardware for AOSP. Samsung are mostly security theater, all the other brands are shockingly bad.
(comment deleted)
GrapheneOS is basically the Android equivalent of iOS Lockdown mode. Considering how the threat landscape has changed, it would be nice if Google offered this itself. Or became a long-term sponsor of GrapheneOS, seeing how great a job they've been doing.
Not really.

iOS in lockdown mode has multiple features disabled (or crippled, depending on how you look at it), while GrapheneOS is just..... secure by design with secure defaults.

https://support.apple.com/en-us/105120

In iPhone also you cannot just turn on/off/adjust these protections one by one, it's all or nothing.

One idea is that the stock rom by Google may phone home even when locked. Perhaps with a malicious WiFi network, attackers can exploit the phone through a flaw in DNS or HTTP handling.

If GrapheneOS skips contacting remote servers like that, they would not be vulnerable.

It would be a story of Google prioritizing tracking over security.

Googles goal as a company is to raise their stock price, graphenes goal is to make a secure phone OS. It really shouldn't be surprising to anyone that graphene is doing a better job.
I've set up GrapheneOS on my Pixel with 2FA fingerprint + PIN unlock. No way will anyone be getting into it without my cooperation.

My only issue was less compatibility with my local emergency services, since they can't see me on a map for some reason if I call from a GOS phone.

My solution to that was a second Pixel as an emergency phone - one with the stock OS, that I'll swap sims with and take with me when hiking, stand up paddle bording and doing other activities that carry risk. This phone has no sensitive information in it. I also have a PLB for added protection.

First I’m hearing Graphene causes issues with E911 - is this a setting?
> My solution to that was a second Pixel as an emergency phone

Picking a Pixel specifically as an emergency phone is quite the choice, given years of on and off 911 issues.

Don't know if/how this works in the US, but the EU emergency number can always be called without a simcard/subscription, so no need to swap simcards. (And sometimes even from a locked phone)
US is the same. I dialed 911 once as a child from an American phone in Indonesia without a SIM card in it. Freaked out and hung up.
>However, rogueFed also called out the meeting organizer by name (the second screenshot, which we are not reposting).

The FBI?

Wow. I was just thinking about jumping ship from iPhone to Pixel.
Another great thing about GrapheneOS (besides security) is that Google Play Services can be installed without elevated privileges and even in a separate profile which can't run in the background. This makes the phone suitable for both normal usage and for those cases where you need to use some "official" app.

It passes Play Integrity "MEETS_BASIC_INTEGRITY" but of course doesn't pass higher levels but not because it's insecure - it's because it refuses to grant GMS elevated privileges. Good news is that banking apps can whitelist GrapheneOS using standard Android attestation mechanism (and some already did).

> Notably, the Pixel 10 series is moving away from physical SIM cards.

Is it? I hadn't followed news of the new Pixels.

I don't like the idea of modernizing this and going full eSIM. It will introduce a lot of new friction, somehow I don't doubt it. Just now arrived to Mexico for a quick trip and grabbed a prepaid SIM from a 7-11 in the airport. All quick and simple. I doubt things would be so seamless when not having a SIM tray in the phone. Having to go through an official process to register a new card, ID oneself, hope to not have any incompatibility with the eSIM slots in your phone (admittedly I don't know how this works)... vs. just paying MXN100 and leave the store with a ready to use number.

Oh, that's what you get by being unaware of the cellphone brands. I was all excited thinking "hey, they found a way to hack phones through, I guess, screen firmware by setting a special sequence of pixels? How frakking cool!". How disappointed I was...
Testament to GrapheneOS' competence and commitment to it's purpose that it's called out by name by Cellebrite.
How come not a single Cellebrite device got "lost" and thoroughly analyzed? Surely quite a few police depts are rather lax.
> https://signal.org/blog/cellebrite-vulnerabilities/

There’s always the hope they are hit back: Cellebrite can develop solutions to automate the hacking of target phones, but in doing so their physical devices are exposed to being hacked as well.

ahhh what is this?

> The completely unrelated

> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

If there's one thing I find the most galling about Cellebrite and the larger realm of state-sponsored hacking, it's that it's practically destroyed the ability to jailbreak devices. Pretty much everything on PPL/SPTM has no public jailbreaks to speak of anymore, at least not until way after the feds have thoroughly 0wned you first.

While some of this comes down to "Apple increased their security posture", a lot of it is that these exploits are $$$ now... and also that nation state actors only really care about data exfiltration. It's https://xkcd.com/1200/ all over again. The thing the nerds actually want is, well, not useless to the glowies, but it is definitely overkill.

Since nobody else has mentioned it... "vulnerable to hacking" is doing a lot of heavy lifting here. It's "vulnerable" about as much as my LUKS desktop system is vulnerable.

These charts have been available for years and don't tell us anything particularly scary IMO.

This "hacking" especially for BFU/turned-off Pixel devices, at best would amount to brute-forcing your password, either on-device or after copying the flash elsewhere.

Short of using top-secret multi-million dollar 0days or something, there is no inherent Pixel flaw that lets them bypass the device's encryption or anything crazy like people are thinking. They still have to get your password somehow, just like anyone else.

Those slides have been in the GrapheneOS Forums for ages.
BFU inside the table cells means:

"BFU extraction can only pull the small amount of "Device Encrypted" (DE) data that is accessible. This is mostly system logs, some app settings, and other non-personal data. It does not get messages, photos, or detailed app data." It basically gets them the list of apps, when the phone has been powered on and off and perhaps some cell geo location history.

FFS means Full Filesystem Search.

What this implies in practice:

All locked stock Android Pixels (including 10 I am almost sure) are vulnerable to FFS after the first unlock, even in the locked state. If you want to protect your data (crossing a border, or when you are about to be interrogated by Russian FSB), turn off your stock Android Pixel.

So I'm running Pixel 6a with GrapheneOS beta updates, I'm okay? Tho if law enforcement needs in my phone they just need to hold me until after lunch, I get pretty hungry. And those Doritos and coke they offered me sure looks tasty...
Congratulations to the GrapheneOS team. Holding your ground against fucking government backed intelligence corporations is no easy feat. May fortune always smile upon them.
A ~dozen programmers are shipping a demonstrably more secure version of a multi-billion-dollar corporation's own operating system on that company's own hardware. That's incredible.
<3 GrapheneOS, it does what I need without me spending the time.

I only wished they'd add Automatic call recording.

I am sure that will cause a lot of trouble in many countries. How hard is it to click Record button for the important calls? I don't think a small project like GrapheneOS should spend time on every small request users want.
One super simple usability v. security tradeoff that Graphene made is that if you plug a new device into the USB while the screen is locked, it just won't work until you unlock the screen. This is kinda annoying the three times a year I want to use wired earbuds, but it's a major impediment for any kind of AFU hacking.