Final's avatar
Final final@stacker.news 1 month ago
When an individual acquires a zero-day and turns it into a product to be bought by people to freely target users of the vulnerable software, they are treated like a crook. When Cellebrite do it, it should be no different. Here is the statement from Cellebrite on the matter: “We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.” A software developer is entitled to know that their software is being / attempted to be exploited by a wealthy, influential actor. This is called responsible disclosure, a virtue of the security community these companies don't follow. What we do against these groups is an act of self-defence of our product and work. GrapheneOS, Google, Samsung, Apple and the greater mobile security community is neither a "potential criminal" or a "malicious actor". These authoritarian talking points are stale and come from the same playbook as "Think of the children" and other fallacy phrases meant to attack you as being a danger for something as simple as wanting to protect yourself. Vulnerabilities don't just exist for the bad guys. All vulnerabilities are to be patched when uncovered. At the bare minimum, a single so-called illicit use of it anywhere in the world immediately makes their exploit a cyberweapon that must be neutralised. Them being an exploit alone is the only justification we need to seek disrupting these threat actors' work.
Final's avatar Final
GrapheneOS has diminished exploit capabilities for Cellebrite a third time. They are no longer able to Full Filesystem extraction an unlocked device. This prevents extraction of hidden operating system and application data. Given it is unlocked, they're still accessing all the important stuff though. This could be an indicator of their target. They are likely to move their resources to attempt researching an exploit targeting the Titan M2 secure element or for extraction for AFU Locked devices rather than be concerned about extracting a device already unlocked. We routinely receive this information from sources familiar with Cellebrite. However, do you have more information on exploit vendors? Do the right thing. Tip off #GrapheneOS at security@ our domain or contact the project account on our platforms. We will respect your privacy. We have made upstream security reports to Google and Apple. Encryption can be performed via our Age public key: age1dcftzgq00ykgwvxl5te6d5clqgx75h2g54c0u8gjc43mcnea7p7q3ma0yx https://grapheneos.org/.well-known/security.txt View quoted note →
View quoted note →

Replies (3)

Final's avatar
Final final@stacker.news 1 month ago
The claim of 'illict use' being 'so-called' because it tries to imply there is an ethical or good use of an exploit tool. There isn't. It's all bad.