Replying to Avatar Andrew

Is the Hide UI installed even with the iPhone locked (AFU)?

I heard about recent cases of modern iPhones being unlocked even when the user is using a complex password with special characters. Is there any other explanation besides the Hide UI?
Avatar
Final 9mo ago

Yes. If the device is unlocked successfully via brute force then it's considered an unlocked device extraction. Cellebrite call hot phones that are locked 'AFU' and hot phones that are unlocked / brute forced successfully as 'Unlocked'. Older Cellebrite docs we published used to call their AFU iOS capabilities Instant Password Retrieval (IPR) but they stopped doing that for some reason.

AFU exploits are to access and extract data without unlocking the device or to bypass the unlock mechanism entirely. Since data isnt encrypted/at rest when AFU they can obtain almost all of the data (except conditional circumstances like data of other Android user profiles or the Mail inbox on iOS) if an exploit is available.

"BFU Yes" in their docs means accessing data encrypted by the device rather than user credentials in a BFU state. For Android it's some OS configuration and APKs of installed apps. iOS provides far more information.

Reply to this note

Please Login to reply.

Discussion

Avatar
Andrew 9mo ago

Scheduling the phone to automatically switch off at certain times (for example, every three hours) can be helpful if a Cellebrite or Greykey machine isn't available right after the smartphone is seized.

Avatar
Final 9mo ago

This is a GrapheneOS feature by default, 18 hours but configurable to 30 minutes of inactivity. iOS implemented it too but it's done in 3 days of no unlock. The Shortcuts app could be useful for this as you can assign device restarts to a trigger. A more primitive shortcut could be to assign a reboot when the clock hits a certain hour such as when you're asleep.

Stronger USB port security features would help, I don't see why Apple couldn't copy what GrapheneOS does with disabling Pixels' USB-C port at a hardware level when they create both the phone and OS.

Avatar
Andrew 9mo ago

If there were still phones with removable batteries that could be charged outside the device, it would open up a lot of possibilities. Just a little soldering could permanently disable the USB port.

Avatar
Final 9mo ago

They should still need the feature. Forensic experts would be trained in device repair and just replace the port, so it should disable itself even when the port is replaced. It would increase the time before an extraction attempt could be performed though.

Avatar
Andrew 9mo ago

Fixing the door would require the phone to be turned off and put into BFU mode.

Avatar
Andrew 9mo ago

I was informed that there are manufacturers whose smartphones can be unlocked even in BFU mode, possibly because they provide some sort of master key, with Samsung being one of them. Is this information accurate? Excluding Apple and Google, which manufacturers would offer better security against forensic devices?

Avatar
Final 9mo ago

There are some companies who claim BFU Physical extractions, mostly on very insecure MediaTek devices and some Samsung Exynos devices. This extracts everything but the data extracted is still encrypted... so it needs a brute force anyways. There isn't a "master key" because that key is created and derived from the user credential which you need to know. It's advertiser speak.

Take a look at this video MSAB made:

https://www.youtube.com/watch?v=8Y9PZzHu_3U

Notice it says "XRY Pro has allowed me to *BRUTE FORCE* that device" at around 1:20 despite the narrative in the title and the video? Shameless...

A good amount of Samsung devices do have brute force support though as documented in our last doc publications and in this video. More reasons why a dedicated secure element like the Titan M2 is very valuable.

Avatar
Andrew 9mo ago

Very good. Thank you again.