Security of Sailfish OS broken by Cellerite?

Reading this post, I would like to know if Sailfish OS security is really broken in less than 4 minutes by Cellerite :

Looks like marketing fluff piece, here’s some docs from Sept 2019 and they even broke all iPhones (assuming all devices were not encrypted (encryption not at all mentioned) so it needs you to enter PIN for each device I guess this is just glorified ‘copy *’ and prepopulate some tables based on filenames/types plus sim reader)

edit: Here’s some more info

Out of 30k supported device profiles they claim to be able to disable passcode/userlock on 3623 (or 5501 unique devices, so probably all rootable androids, check XDA if you’re safe), iPhones require a jailbreak

edit: funnily enough they advertise MTK Live: Perform Physical or Full File-system extractions on unlocked MediaTek (MTK) devices, so MTK is safer from israelis lol

1 Like

No, in the diaspora* post, it’s a Sailfish OS user that gave its smartphone to Cellebrite to test its security, during an expo. And they took less than 4 minutes to break all the security barriers to access its data.

Which expo and which phone? Encryption on sfos is from very recently and still only on some xperias (correction: all xperias have now the option since 3.3.0, thought X was still lagging, would be good to know when the expo happened and which device model he used and if he actually had encryption turned on as even on X10 it required reflash before 3.3.0). Again it looks like this is a extraction with police asking you to enter PIN, it only supports ‘cracking’ as in exploits in like 10-15% of supported devices according to their own promotional materials
edit: some more info covers cellebrite and few others, it’s a bit more than a copy for unlocked phones, for some phones it will guide the police officer through what buttons to hold after resetting the phone to turn on fastboot or similar (depending on vulnerability used), it’s bit old and claims iPhones are still safe except mtp (and with checkm8 up to iphone X are all compromised now, so better buy 2018+ iphone, though they don’t jailbreak them at the station yet). Would be cool to test a wholly encrypted (with long pass, though doubt it does any bruteforcing) XA2 on some expo

1 Like

There’s another article (I’m no expert in this area, but it seemed well written) about how to retrieve data from the original JP-1:

It was commented by no other than tigeli:

“The phone only exposes the port 23 (telnet); once inside, without being asked for any kind of authentication, it provides the access to a shell with root privileges.”

This is incorrect for SailfishOS… if the device actually had pin-code enabled it would ask it before allowing user to access the shell in the recovery mode.


its not a secret that any encryption can only be as hard as the password. and since jolla is using your unlocking (numerical) pin as password it is of course not hard to bruteforce your way in.


Agreed, but at the same time 4 minutes pretty much proves it was not LUKS crack, their kiosks use shitty processors to mainly just display UI for officers, even a 5 digit luks takes a little while (check hashcat forum, quadcore would need 2 minutes minimum for 5 digit as it’s about 300h/s per core, no way to finish all in 4, 7k hashes per second on 1080 and luks2 kinda fixes it with high memory mode, no idea if jolla uses luks2 tho), but yeah you need 15-20 digit length to be kinda secure with digits only (edit: and that’s 15+ random digits, forget about putting any birthday dates, or connecting strings like 1234321 etc)

edit: in case anyone is interested in benchmarks vs LUKS
(even though it’s 2017 1080 is still useful for comparison, 2080Ti will not be that much faster as they went with ‘realtime raytracing wooo’)