this post was submitted on 30 Oct 2025
338 points (99.7% liked)

Privacy

43225 readers
620 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
338
Someone Snuck Into a Cellebrite Microsoft Teams Call and Leaked Phone Unlocking Details (www.404media.co)
submitted 2 weeks ago* (last edited 2 weeks ago) by zdhzm2pgp@lemmy.ml to c/privacy@lemmy.ml
36 comments fedilink hide all child comments
 

Someone recently managed to get on a Microsoft Teams call with representatives from phone hacking company Cellebrite, and then leaked a screenshot of the company’s capabilities against many Google Pixel phones, according to a forum post about the leak and 404 Media’s review of the material.

The leak follows others obtained and verified by 404 Media over the last 18 months. Those leaks impacted both Cellebrite and its competitor Grayshift, now owned by Magnet Forensics. Both companies constantly hunt for techniques to unlock phones law enforcement have physical access to.

“You can Teams meeting with them. They tell everything. Still cannot extract esim on Pixel. Ask anything,” a user called rogueFed wrote on the GrapheneOS forum on Wednesday, speaking about what they learned about Cellebrite capabilities. GrapheneOS is a security- and privacy-focused Android-based operating system.

rogueFed then posted two screenshots of the Microsoft Teams call. The first was a Cellebrite Support Matrix, which lays out whether the company’s tech can, or can’t, unlock certain phones and under what conditions. The second screenshot was of a Cellebrite employee. 💡 Do you know anything else about phone unlocking technology? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

According to another of rogueFed’s posts, the meeting took place in October. The meeting appears to have been a sales call. The employee is a “pre sales expert,” according to a profile available online.

The Support Matrix is focused on modern Google Pixel devices, including the Pixel 9 series. The screenshot does not include details on the Pixel 10, which is Google’s latest device. It discusses Cellebrite’s capabilities regarding ‘before first unlock’, or BFU, when a piece of phone unlocking tech tries to open a device before someone has typed in the phone’s passcode for the first time since being turned on. It also shows Cellebrite’s capabilities against after first unlock, or AFU, devices.
Screenshot via GrapheneOS forum.

The Support Matrix also shows Cellebrite’s capabilities against Pixel devices running GrapheneOS, with some differences between phones running that operating system and stock Android. Cellebrite does support, for example, Pixel 9 devices BFU. Meanwhile the screenshot indicates Cellebrite cannot unlock Pixel 9 devices running GrapheneOS BFU.

In a statement, Victor Cooper, senior director of corporate communications and content strategy at Cellebrite, told 404 Media “We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.” Google did not immediately respond to a request for comment.

GrapheneOS is a long running project which makes sizable security changes to an Android device. “GrapheneOS is focused on substance rather than branding and marketing. It doesn't take the typical approach of piling on a bunch of insecure features depending on the adversaries not knowing about them and regressing actual privacy/security. It's a very technical project building privacy and security into the OS rather than including assorted unhelpful frills or bundling subjective third party apps choices,” the project’s website reads.

As well as being used by the privacy and security conscious, criminals also turn to GrapheneOS. After the FBI secretly ran its own backdoored encrypted phone company for criminals, some drug traffickers and the people who sell technology to the underworld shifted to using GrapheneOS devices with Signal installed, according to interviews with phone sellers.

In their forum post, rogueFed wrote that the “meeting focused specific on GrapheneOS bypass capability.”

They added “very fresh info more coming.”

all 37 comments
sorted by: hot top controversial new old
[–] besselj@lemmy.ca 87 points 2 weeks ago (4 children)

From the GOS forums, it looks like as long as you keep your phone up-to-date, block USB data in the locked state, and the phone is in the before-first-unlock state, cellbrite still can't break into it

[–] zdhzm2pgp@lemmy.ml 30 points 2 weeks ago (2 children)

the before-first-unlock state

Embarrassed to ask what this is exactly...?

[–] besselj@lemmy.ca 54 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

When you reboot the phone, it is in the BFU state where everything is still encrypted until the user unlocks the phone, as I understand it. https://blogs.dsu.edu/digforce/2023/08/23/bfu-and-afu-lock-states/

[–] akilou@sh.itjust.works 11 points 2 weeks ago (2 children)

What if you long press power button amd select "lock down"? Does that put it in the same BFU state?

[–] besselj@lemmy.ca 27 points 2 weeks ago (1 children)

No. Lockdown is not the same as BFU. Lockdown just turns off biometric unlocking.

[–] TheHobbyist@lemmy.zip 5 points 2 weeks ago

This is a good precision to be aware of.

It is still an important function because in some places law enforcement may be legally authorized to compel a user to unlock their phone using biometrics, but of course if you disable biometrics, there are less options to force you to enter your passphrase/password etc.

[–] LytiaNP@lemmy.today 15 points 2 weeks ago

Afaik, it only disables biometrics. BFU means the entire phone (should be) encrypted. You can test this by playing media and then pressing the lockdown button. If the media continues playing, it’s not encrypted.

If you can’t shut your phone down for whatever reason, disabling biometrics would be the second best option (assuming police cannot force you to reveal your password).

[–] Truscape@lemmy.blahaj.zone 23 points 2 weeks ago

When your phone reboots, it prompts for a password before you are able to use any functionality of the phone (nothing's running in the background until you unlock for security purposes).

Before-First-Unlock refers to this, the post-reboot screen where nothing is actively running that can be easily hijacked. If you set your phone to auto-reboot after a certain amount of hours, you can safely assume people will have to have a BFU exploit to ransack your phone.

The opposite of this is After-first-unlock (AFU), which is after that initial reboot password check.

[–] giantripdrop@piefed.social 11 points 2 weeks ago (1 children)

would using lockdown mimic the BFU state? or does it not matter once you actually unlock the first time?

[–] besselj@lemmy.ca 12 points 2 weeks ago (1 children)

The latter is true. Phone needs to be in BFU to work against cellbrite, I figure. Lockdown only turns off biometrics and makes the phone unlockable with a pin or password instead, iirc.

[–] FauxLiving@lemmy.world 15 points 2 weeks ago (1 children)

If you have enough time to put your phone in lockdown, just power it off. You can also set it so that the phone will automatically reboot if not unlocked in some time period (like a day).

This makes it go into BFU mode if it’s lost or stolen and kept powered.

[–] akilou@sh.itjust.works 5 points 2 weeks ago (2 children)

Where can I find the auto reboot setting?

[–] LytiaNP@lemmy.today 16 points 2 weeks ago (1 children)

Assuming you’re on GrapheneOS: https://grapheneos.org/features#auto-reboot

I don’t think most other OEMs have an auto reboot feature

[–] FauxLiving@lemmy.world 4 points 2 weeks ago (1 children)

Yeah, oops, GOS only.

I don’t think most other OEMs have an auto reboot feature

There are very few phones where it would help because they're BFU exploitable.

[–] planish@sh.itjust.works 4 points 2 weeks ago (1 children)

Sounds like a lot of people are out there selling defective hardware.

[–] LytiaNP@lemmy.today 1 points 2 weeks ago* (last edited 2 weeks ago)

Most (older and lower end) phones don’t do encryption in the first place, so BFU becomes barely better than an unlocked phone.

[–] m4ylame0wecm@lemmy.zip 12 points 2 weeks ago

On GOS, Settings > Security > Exploit protection

[–] malwieder@feddit.org 5 points 2 weeks ago (1 children)

Can't keep your phone up-to-date if you're no longer in possession of it.

[–] potatopotato@sh.itjust.works 6 points 2 weeks ago (1 children)

Set a reboot timer. It'll shut down and dump the keys out of RAM putting it in the more difficult BFU state. That way if you phone is taken and not unlocked successfully by you within a day or so it'll render itself much harder to crack.

[–] LytiaNP@lemmy.today 2 points 2 weeks ago (1 children)

That still won’t keep the phone up to date, as you have to decrypt the device for it to update.

[–] potatopotato@sh.itjust.works 3 points 2 weeks ago

It negates the need for updates because it's much less likely that BFU attacks are discovered that could compromise the phone.

[–] Giblet2708@lemmy.sdf.org 1 points 2 weeks ago

block USB data in the locked state

So "charging-only when locked" is safe then, right?

[–] freedickpics@lemmy.ml 53 points 2 weeks ago

We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage

Lmao fuck them 😂 the grapheneOS forum is exactly where this info belongs so the devs can patch any vulnerabilities. As if companies like cellebrite care if (other) malicious actors get their hands on the exploits. They just don't want the the vulnerabilities to be fixed so they can keep using them

[–] reagansrottencorpse@lemmy.ml 51 points 2 weeks ago (1 children)

Companies like cellebrite are the scum of the world.

[–] jet@hackertalks.com 24 points 2 weeks ago

I'm actually thankful they exist, because they're a commercial company. They disclose their capabilities and they advertise. If this was strictly a government operation, it could be quite secret, quite nebulous, we wouldn't get as many leaks. They're fulfilling a very positive role in the ecosystem as a red team giving valuable feedback to gos for blue teaming.

[–] Catalyst_A@lemmy.ml 49 points 2 weeks ago (1 children)

This article is behind a pay wall. So I found it for free. Same subject and leaks. https://www.androidauthority.com/cellebrite-leak-google-pixel-grapheneos-security-3611794/

[–] mouse@midwest.social 11 points 2 weeks ago* (last edited 2 weeks ago)

There's also archive.today that can bypass these paywalls. https://archive.ph/NfjJm

[–] kibiz0r@midwest.social 43 points 2 weeks ago (2 children)

We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.

I was under the impression it was illegal to use exploits for purposes other than responsible disclosure?

[–] trolololol@lemmy.world 23 points 2 weeks ago

Yep for you it is. These guys are friends with governments.

[–] cassandrafatigue@lemmy.dbzer0.com 4 points 2 weeks ago (1 children)

illegal

What do you think this means?

[–] kibiz0r@midwest.social 1 points 2 weeks ago (1 children)

Violation of the unauthorized access provision of the CFAA, or the anti-circumvention provision of the DMCA

[–] cassandrafatigue@lemmy.dbzer0.com 0 points 2 weeks ago

No, the word. What do you think "illegal" is?

[–] treadful@lemmy.zip 25 points 2 weeks ago* (last edited 2 weeks ago)

https://discuss.grapheneos.org/d/27698-new-cellebrite-capability-obtained-in-teams-meeting

[–] root@lemmy.world 22 points 2 weeks ago

Wish they’d shared the iOS slide as well

[–] stupid_asshole69@hexbear.net 9 points 2 weeks ago (1 children)

https://files.catbox.moe/80kwmt.jpg

Here’s the screenshot of the support matrix

[–] jet@hackertalks.com 2 points 2 weeks ago

Thank you