Here’s the Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024.

404media recently published an article based on the same April 2024 docs we received in April and published in May. Many tech news sites including 9to5Mac made incorrect assumptions treating that as current.

Here’s the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for Pixels. They’re still unable to exploit locked GrapheneOS devices unless they’re missing patches from 2022. A locked GrapheneOS device also automatically gets back to BFU from AFU after 18h by default.

GrapheneOS is defending against these tools with generic exploit protections rather than by patching specific vulnerabilities. Until recently, it’s likely that it was our generic memory corruption exploit mitigations including hardened_malloc which was successfully stopping this.

In February 2024, we added a new feature for disabling the USB-C port at a hardware level. In March 2024, we set the default mode to “Charging-only when locked, except before first unlock”. In June 2024, we increased the default security level to “Charging-only when locked”.

Later in June 2024, we extended our software-level USB protection, merged it into the newer hardware-level protection feature and extended the hardware-level protection to pogo pins on the Pixel Tablet. There’s extremely strong protection against these USB-based attacks now.

Here’s the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for overall Android devices. Other than the Titan M2 on the Pixel 6 and later not being successfully yet to bypass brute force protection, it’s largely just based on what they’ve had time to support.

In January 2024, we reported several vulnerabilities being exploited by the XRY tool from MSAB to get data from Android devices including stock OS Pixels. In April 2024, Pixels shipped a reset attack mitigation we proposed preventing the whole attack vector. We plan to expand it.

Currently, non-Pixel devices are still vulnerable to these reset attacks. In June 2024, Android 14 QPR3 included another feature we proposed providing wipe-without-reboot support for the device admin wipe API. We shipped this early and use it in our duress PIN/password feature.

We also began triggering a full compacting garbage collection cycle in system_server and SystemUI when the device is locked based on info about these attacks. This releases memory for no longer allocated objects to the OS, where our generic zero-on-free feature clears all of it.

In the near future, we plan to ship support for adding a PIN as a 2nd factor to fingerprint unlock to enable users to use a strong passphrase combined with PIN+fingerprint secondary unlock for convenience. We have an initial implementation, but it needs more work before shipping.

We’re going to continue advancing the state of the art for protection against exploitation. Hardware vendors are welcome to collaborate with us if they want to protect users. We’re regularly filing vulnerability reports and making suggestions to improve the security of Pixels.

Glossary:

BFU: Before First Unlock exploitation of OSBF: Brute Force password after BFU exploitation, which requires bypassing secure element brute force protection if implementedAFU: After First Unlock exploitation of OSFFS: Full Filesystem Extraction from an unlocked device

BF capability does not bypass hardware-bound key derivation, so a brute force is still rate limited but no longer has an extremely small number of attempts. Cellebrite Advanced Services may be able to bypass this through extracting data from hardware, but it would be difficult.

BF implies ability to bypass random 6 digit PINs. It does not imply ability to bypass a decent passphrase where hardware-bound key derivation slows them down too much. A truly strong passphrase is safe even if they bypass hardware-bound key derivation and use a huge server farm.