Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking
122 comments
·October 30, 2025derbOac
IncreasePosts
Is grapheheOS actually harder to hack or does cellebrite just not put a lot of effort into supporting it because the very low odds of LEs running into one in the wild?
markus_zhang
I read from an old HN post that three letter agencies hate graphen OS. The author heard it from defcon or some similar conference. I couldn’t find the post anyway :/ I think it is buried under one of the posts that discuss Defcon and Blackhat.
overfeed
Wouldn't it be a total mindfuck if it turns out that Graphene is less secure[1] than stock Pixel, and this is all part of an ANOM-style honeypot operation that has Feds hyping it up, to trick interesting targets into adopting a less-effective security posture.
1. Such as via slower 0-day responses, for instance. This is a thought experiment, I'm nor alleging that this is what it is.
dns_snek
Clearly it's harder but just how much harder is anyone's guess? Surely higher value targets would be more likely to use Graphene, so I would think that would make it just as important to invest resources into.
zb3
It physically disables USB ports when locked which significantly reduces the attack surface + can be configured to automatically reboot.
fph
Two fixes that would be trivial to backport to mainline Android.
aussieguy1234
The auto reboot is configured by default. Its quite a long window, every 18 hours or so from memory. It can be configured to be shorter than this.
I experimented with one hour, but missed an alarm.
Its good security practice to reboot your phone before going to bed, this puts it in the much harder to break in to BFU state.
LoganDark
GrapheneOS makes security trade-off that are inconvenient to the user. This results in a far more secure device, but nonetheless a device that the general public would find far more annoying. Google would lose a proportion of its user base by implementing the same protections.
Example: https://old.reddit.com/r/GooglePixel/comments/ytk1ng/graphen...
Also Google Pay is missing.
zb3
Which particular thing you consider inconvenient or even annoying? You can even install Google Play there.
I see just one minor tradeoff - no face unlock.
MrDrMcCoy
That is a major feature. It prevents coerced unlocking.
LoganDark
Google OS-level integration is absent, and while Google Play Services can be installed, you're still missing things like Chromecast. Also, there's more manual configuration (although I don't remember exactly what, I've never used GrapheneOS). A lot of stuff you do get for free, but not all of it, and stuff that's been removed as a "feature" isn't always stuff that nobody wants.
colordrops
I'd almost want to avoid GrapheneOS because it gets so much attention from law enforcement that it's probably a big target for various agencies to find vulnerabilities in.
giantg2
This doesn't make sense. If you're worried about the government targeting you, then what is the alternative... less hardened phones? At least Graphene will protect you better than the stock OS. If you're really that concerned then you shouldn't use anything going through cell tower (or take extreme precautions when doing so).
bigyabai
Short answer: Google is a business that can be compelled by the federal government in ways that nonprofits are resistant to. Ron Wyden identified one of these weaknesses in 2023: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
GeekyBear
No American company has a choice when the Feds want data stored on a company's server.
That doesn't stop Apple or any other company from designing devices that attempt to keep prying eyes out of the data stored on your device.
bitwize
The government has ways of twisting the arms of uncooperative people/organizations into providing all the backdoors they need. Everything from increased tax and regulatory scrutiny to "discovering" CSAM on executives' computers or phones.
The government does what it wants because it's the government. Mere laws generally don't stand in its way for long.
kangs
google even has specially signed fw that let you root the device and unlock anything that doesn't rely on the passcode. secureboot passing and all. i can't imagine that the nsa doesnt have them. after that you just gotta crack the usually very simple passcode. wouldny be surprised if thats what cellrite has lol.
windexh8er
Let's be very clear: this is still Google's choice. Google could build a phone that they can't be compelled to do anything to after the phone is sold to their customer, but Google alone chooses to not invest in the security of the phones they're selling to their customers. Because: what is good for the government is now equally good for Google.
Do we not remember how Google immediately enabled TLS everywhere, internally, post-Snowden [0]? Remember when Google was "outraged"? Where are those people now? They surely don't work at Google anymore. It's amazing how enshittified Google and Apple have become in a decade.
Youden
Google brings to mind the ship of Theseus - many of the core decision makers have changed over the years, to the point where it's arguably a different company.
The biggest change was 2015 (two years after your article): the founders and Eric Schmidt stepped back and a couple of other folks retired, leading to a new CEO, CFO and CBO. Their opinions on how to best run the company were quite different to their predecessors.
I think another major change is the attention Google started to get from government and regulators.
Veserv
Ah yes, Google could make a unhackable phone secure against state actors, they just do not feel like it.
Not at all a problem that is viewed as so impossible that the very notion of it is beyond belief to the overwhelming majority of software developers. Google can just waltz on down to the corner store and get a jug of unhackable phone software. They just do not want to.
The fact of the matter is that they are incapable of making systems consistently secure against even moderately funded professional cyber demolitions teams. This is true across the entire commercial IT industry with literal decades of evidence and proof time and time again.
Could it also be a conspiracy? Could they also have deliberate backdoors? Sure. But even without them their systems and everyone else are grossly inadequate for the current threat landscape which only continues to pull further and further ahead of their lackluster system security.
harambae
> how enshittified Google and Apple have become
I don’t know about pop-ups or whatever, but as far as mobile security Apple appears to be running the table. Last cellebrite leak showed they couldn’t do anything in BFU, and you can tell Siri to put it back in BFU without hands while being arrested.
chaps
Here's the full document without the blurriness: https://www.documentcloud.org/documents/24833831-cellebrite-...
(it's been available since 2024 -- found by searching for "android os access support matrix" on documentcloud)
Infernal
The point here is that the doc you linked is a year and a half old, this (if real) is much newer. Security is a constant arms race between attackers and defenders, nothing is static so updates of this nature are always welcome.
Squealer2642
This one doesn't have Pixel 9's so the image in the article has been updated a bit.
sciencejerk
[flagged]
BLKNSLVR
Testament to GrapheneOS' competence and commitment to it's purpose that it's called out by name by Cellebrite.
Lucasoato
> https://signal.org/blog/cellebrite-vulnerabilities/
There’s always the hope they are hit back: Cellebrite can develop solutions to automate the hacking of target phones, but in doing so their physical devices are exposed to being hacked as well.
jojobas
How come not a single Cellebrite device got "lost" and thoroughly analyzed? Surely quite a few police depts are rather lax.
runlevel1
One did "fall off a truck" and into Moxie Marlinspike's hands back in 2021: https://signal.org/blog/cellebrite-vulnerabilities/
A bunch of their software was also leaked in a hack back in 2023: https://ddosecrets.com/article/cellebrite-and-msab
j1elo
> Notably, the Pixel 10 series is moving away from physical SIM cards.
Is it? I hadn't followed news of the new Pixels.
I don't like the idea of modernizing this and going full eSIM. It will introduce a lot of new friction, somehow I don't doubt it. Just now arrived to Mexico for a quick trip and grabbed a prepaid SIM from a 7-11 in the airport. All quick and simple. I doubt things would be so seamless when not having a SIM tray in the phone. Having to go through an official process to register a new card, ID oneself, hope to not have any incompatibility with the eSIM slots in your phone (admittedly I don't know how this works)... vs. just paying MXN100 and leave the store with a ready to use number.
precommunicator
And on the other hand, you enter Montenegro by car outside of touristy season and no petrol stations carry sim card then, and you have to find some kiosk in city center that does, wasting so much time in the process, relying on offline maps or spotty wi-fi.
You enter Serbia or Faroe Islands, and to get a SIM you have to find the operator booth, hope it's not in city center where parking is close to impossible, wait in a queue, they don't accept card, go find an ATM, pay extra for foreign withdrawal, pay extra ATM fees...
e-SIM just solves that, you simply buy it online before. And if you forget, I have a bit more expensive "any country" e-SIM that will allow me to do so.
Before e-SIM was a thing mobile roaming outside of EU was on the extreme expensive end. Now, I don't even get to use my e-SIM capabilities, as my network operators have pretty cheap package rates to just roam outside of EU. I wonder if widespread of e-SIM has anything to do with that.
duskdozer
The process for migrating eSIMs for me has never been easy and has always taken 1-2 days and repeated contacts with customer service agents to actually work. Compared to the 10 seconds of swapping a physical SIM. I'm sure there isn't an inherent technical reason why eSIM couldn't be just as easy if not more, but I assume it's another case of enshittification.
Flere-Imsaho
eSIMs feel like a solution waiting for a problem. Consumers are happy with physical SIMs, you obtain one, you put it in your phone then you forget about it until you swap your phone.
I'm sure eSIMs are a good idea if your aim is to gain even more control over our personal devices.
abraham
eSIMs are nice in that you can install an app and it can activity service immediately. You don't have to go to a store or wait for a physical SIM to be mailed to you.
embedding-shape
Also nice for people who frequent different countries, easier to switch by tapping a button in the phone than having to replace the physical SIM card each time. And no more forgetting the right SIM or not having a tiny thing to get the SIM card out in the first place (or having to borrow someone's earring).
wooptoo
You can actually get a prepaid travel eSIM before you leave on holiday.
Nextgrid
Which are absolutely shit because your data exits out on the other side of the world with 150ms extra latency.
Getting an (e?)SIM from a local carrier is always better and often cheaper too.
stackskipton
eSIM can be QR code so if they wanted, Mexican vendor just pay and show QR code for you to scan.
purpleidea
The unfortunate problem with eSIM is that you can't swap it between phones.
wooptoo
You absolutely can. But it does need an internet connection for that. Which actually makes eSIM more secure than regular SIM.
c420
>However, rogueFed also called out the meeting organizer by name (the second screenshot, which we are not reposting).
The FBI?
driverdan
No, the Cellebrite rep Alex Rankmore. The screenshot is still in the thread farther down.
aussieguy1234
I've set up GrapheneOS on my Pixel with 2FA fingerprint + PIN unlock. No way will anyone be getting into it without my cooperation.
My only issue was less compatibility with my local emergency services, since they can't see me on a map for some reason if I call from a GOS phone.
My solution to that was a second Pixel as an emergency phone - one with the stock OS, that I'll swap sims with and take with me when hiking, stand up paddle bording and doing other activities that carry risk. This phone has no sensitive information in it. I also have a PLB for added protection.
tredre3
> My solution to that was a second Pixel as an emergency phone
Picking a Pixel specifically as an emergency phone is quite the choice, given years of on and off 911 issues.
DANmode
...with the Google software.
sigio
Don't know if/how this works in the US, but the EU emergency number can always be called without a simcard/subscription, so no need to swap simcards. (And sometimes even from a locked phone)
fluidcruft
Is there anything actually preventing Samsung or another vendor from adopting GrapheneOS's security innovations?
russianGuy83829
GrapheneOS is seemingly working with an OEM to make a GrapheneOS smartphone. Its probably not samsung, but would still be an established vendor
DANmode
It better not be Samsung...
DANmode
Willingness to pay great developers and engineers to build secure hardware,
understanding sec,
them observing actual demand for security.
History says don't hold your breath.
We get lucky once in a while, like with Google's hardware (without their software).
joemazerino
The hardware Samsung provides is not up to spec.
immibis
Probably their legal obligation to comply with secret government orders (FISA, NSL etc - the government probably already said don't make unhackable phones or else) and their informal wish to remain on the regime's good side.
usdogu
Obligatory https://xkcd.com/538
Stefan-H
Cooperation under duress is still cooperation.
gnarlouse
Wow. I was just thinking about jumping ship from iPhone to Pixel.
dns_snek
All iPhones were vulnerable according to the last available iOS support matrix.
runlevel1
That's not quite correct, but you're not a million miles off: https://www.documentcloud.org/documents/24833832-cellebrite-...
To calibrate your sense of time, the iPhone 15 had been released in September 2023 and that doc is dated April 2024, so ~6 months.
And just for completeness, here was the Android doc that leaked at the same time: https://www.documentcloud.org/documents/24833831-cellebrite-...
zb3
Another great thing about GrapheneOS (besides security) is that Google Play Services can be installed without elevated privileges and even in a separate profile which can't run in the background. This makes the phone suitable for both normal usage and for those cases where you need to use some "official" app.
It passes Play Integrity "MEETS_BASIC_INTEGRITY" but of course doesn't pass higher levels but not because it's insecure - it's because it refuses to grant GMS elevated privileges. Good news is that banking apps can whitelist GrapheneOS using standard Android attestation mechanism (and some already did).
vdupras
Oh, that's what you get by being unaware of the cellphone brands. I was all excited thinking "hey, they found a way to hack phones through, I guess, screen firmware by setting a special sequence of pixels? How frakking cool!". How disappointed I was...
They couldn't answer the question most on my mind: "We’ve reached out to Google to inquire about why a custom ROM created by volunteers is more resistant to industrial phone hacking than the official Pixel OS. We’ll update this article if Google has anything to say."