Replying to Avatar Andrew

What risks does a smartphone that has been subject to forensic analysis but has not been unlocked due to being examined in a cold state pose when returned to the user?
Avatar
Final 9mo ago

There'd be no realistic concerns. Attack surface is miniscule, even in a hot state it needs a pretty thorough exploit chain and would need to be bespoke to a target. I don't recommend keeping a device seized and returned in the state it's returned in anyway. I'd disable any network access, take any important files out (you should have backups) and reset it.

Some customers of forensic tools are known to implant spyware into seized devices when returning it. Serbian law enforcement did it, but those came with the prerequisite of having the device unlocked by their Cellebrite tool to install it. The spyware in question appeared to not be provided by Cellebrite either. No access = no install.

Some forensiccompanies had tools that implanted spyware on AFU devices to keylog the PIN/Password when they could not access the device, such as GrayKey's Hide UI for iPhones. Hide UI alone was known to be buggy and problematic. It also didn't deliver the PIN remotely and required seizing it a second time when first revealed.

https://wccftech.com/how-fbi-uses-graykey-and-hide-ui-to-unlock-iphones/

Graykey moved away from being just for iOS devices a long time ago though.

OS updates and device differences can intentionally (and more often unintentionally) break how exploits work. For example Pixel 9 was unsupported by Cellebrite despite no major security changes, and only just became supported this February.

They'd likely put their focus on finding an exploit for the secure element to allow faster brute forcing.

Reply to this note

Please Login to reply.

Discussion

Avatar
Andrew 9mo ago

Is the Hide UI installed even with the iPhone locked (AFU)?

I heard about recent cases of modern iPhones being unlocked even when the user is using a complex password with special characters. Is there any other explanation besides the Hide UI?

Avatar
Final 9mo ago

Yes. If the device is unlocked successfully via brute force then it's considered an unlocked device extraction. Cellebrite call hot phones that are locked 'AFU' and hot phones that are unlocked / brute forced successfully as 'Unlocked'. Older Cellebrite docs we published used to call their AFU iOS capabilities Instant Password Retrieval (IPR) but they stopped doing that for some reason.

AFU exploits are to access and extract data without unlocking the device or to bypass the unlock mechanism entirely. Since data isnt encrypted/at rest when AFU they can obtain almost all of the data (except conditional circumstances like data of other Android user profiles or the Mail inbox on iOS) if an exploit is available.

"BFU Yes" in their docs means accessing data encrypted by the device rather than user credentials in a BFU state. For Android it's some OS configuration and APKs of installed apps. iOS provides far more information.

Avatar
Andrew 9mo ago

Scheduling the phone to automatically switch off at certain times (for example, every three hours) can be helpful if a Cellebrite or Greykey machine isn't available right after the smartphone is seized.

Avatar
Final 9mo ago

This is a GrapheneOS feature by default, 18 hours but configurable to 30 minutes of inactivity. iOS implemented it too but it's done in 3 days of no unlock. The Shortcuts app could be useful for this as you can assign device restarts to a trigger. A more primitive shortcut could be to assign a reboot when the clock hits a certain hour such as when you're asleep.

Stronger USB port security features would help, I don't see why Apple couldn't copy what GrapheneOS does with disabling Pixels' USB-C port at a hardware level when they create both the phone and OS.

Avatar
Andrew 9mo ago

If there were still phones with removable batteries that could be charged outside the device, it would open up a lot of possibilities. Just a little soldering could permanently disable the USB port.

Avatar
Final 9mo ago

They should still need the feature. Forensic experts would be trained in device repair and just replace the port, so it should disable itself even when the port is replaced. It would increase the time before an extraction attempt could be performed though.

Avatar
Andrew 9mo ago

Fixing the door would require the phone to be turned off and put into BFU mode.

Avatar
Andrew 9mo ago

I was informed that there are manufacturers whose smartphones can be unlocked even in BFU mode, possibly because they provide some sort of master key, with Samsung being one of them. Is this information accurate? Excluding Apple and Google, which manufacturers would offer better security against forensic devices?

Avatar
Final 9mo ago

There are some companies who claim BFU Physical extractions, mostly on very insecure MediaTek devices and some Samsung Exynos devices. This extracts everything but the data extracted is still encrypted... so it needs a brute force anyways. There isn't a "master key" because that key is created and derived from the user credential which you need to know. It's advertiser speak.

Take a look at this video MSAB made:

https://www.youtube.com/watch?v=8Y9PZzHu_3U

Notice it says "XRY Pro has allowed me to *BRUTE FORCE* that device" at around 1:20 despite the narrative in the title and the video? Shameless...

A good amount of Samsung devices do have brute force support though as documented in our last doc publications and in this video. More reasons why a dedicated secure element like the Titan M2 is very valuable.

Avatar
Andrew 9mo ago

Very good. Thank you again.