Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking

Original Article ↗ Hacker News Discussion ↗

Why GrapheneOS Resists Cellebrite Better

  • Commenters highlight that GrapheneOS significantly raises the exploit bar compared with stock Pixel OS:
    • Hardware-level USB data disablement when locked (peripherals, gadgets, alt-modes) vs stock Android’s much weaker “charging only” gadget mode toggle.
    • Auto‑reboot to BFU (Before First Unlock) after a configurable timeout (10 minutes–72 hours), restoring full at‑rest protection without user action.
    • Extensive exploit mitigations: hardened malloc, broad use of ARM Memory Tagging Extension (MTE) in kernel and userspace, zeroing of RAM on boot and in fastboot, duress PIN, 2‑factor fingerprint+PIN, PIN scrambling.
  • Leaked Cellebrite matrices reportedly show:
    • GrapheneOS devices currently resist both BFU and AFU full filesystem extraction, even when the password is known.
    • Stock Pixels and iPhones largely prevent brute‑force attacks via secure elements, but are still exploitable AFU and partly BFU via OS‑level bugs.

Limits of “Unhackable” Phones & BFU/AFU Nuance

  • Some argue Google could match or approach GrapheneOS’s protections but prioritizes usability, compatibility, and government relationships.
  • Others push back that no commercial vendor can realistically produce an “unhackable” device against well-funded state actors; security is an arms race and exploits will always emerge.
  • Several clarifications:
    • BFU still exposes a small set of “device encrypted” data (system logs, installed apps, Wi‑Fi configs, some alarms), not user content.
    • Turning a device fully off remains one of the strongest protections when crossing borders or facing arrest.

Google, Apple, and Corporate Incentives

  • Thread contrasts a nonprofit, donation‑funded project whose explicit goal is security with ad‑ and services‑driven giants:
    • Companies can be compelled (formally or informally) to assist law enforcement and are structurally incentivized to collect data.
    • Some see Apple as currently ahead in mobile security (especially with newer iOS auto‑reboot / lockdown‑like features); others view much of this as security theater given ongoing Cellebrite capabilities and opaque cloud backup encryption.

GrapheneOS Usability and App Compatibility

  • Usability tradeoffs are debated:
    • Missing or altered features: no face unlock or pattern unlock (considered insecure), stricter USB behavior (problematic if the touchscreen breaks), and no tap‑to‑pay via Google Pay due to Play Integrity policy, not technical insecurity.
    • Many banking and government apps work; some rely on Google’s device integrity signals and refuse to run, though a few have explicitly whitelisted GrapheneOS’s hardware attestation.
    • Sandboxed Google Play Services and optional separate profiles let users compartmentalize “official” apps while keeping a more private main profile.

Law Enforcement, Government Pressure, and Regulation

  • Several comments discuss:
    • The likelihood of secret pressure on major vendors not to ship “too secure” phones vs simpler explanations like cost, UX, and market demand.
    • Skepticism that legal protections alone can constrain intelligence and law‑enforcement overreach; hence emphasis on technical defenses.
    • Recognition that GrapheneOS’s prominence makes it a prime target, but many argue that a hardened, quickly patched, open system is still the best available option on Android hardware.