The Leak: Cellebrite Matrix Reveals GrapheneOS Protects Pixels Against Data Extraction

A researcher operating under the handle rogueFed covertly joined a closed online briefing hosted by Cellebrite and leaked materials revealing which Google Pixel models are susceptible to extraction with the company’s tools. The disclosure—surfacing on the GrapheneOS forum and flagged by 404 Media—included an internal device-compatibility matrix that, for the first time, lists a protected build of GrapheneOS, an independent, privacy-focused Android derivative.

Cellebrite, an Israeli firm renowned for its mobile-data extraction suites used by law enforcement worldwide, produces systems for cloning phone contents, circumventing passcodes, and analysing on-device storage. While the precise mechanics of those tools remain proprietary, screenshots from the leaked Microsoft Teams session indicate Cellebrite’s capability to pull data from most Pixel models spanning the Pixel 6 through Pixel 9 families. A notable exception: devices running GrapheneOS, where access is thwarted even when the handset is unlocked.

The slide’s matrix delineates three security states: BFU (Before First Unlock), AFU (After First Unlock), and fully unlocked. In BFU, data remain encrypted until the user enters their PIN after a reboot; in AFU, certain keys have been activated, easing access; and when a device is fully unlocked, it becomes broadly vulnerable to wholesale data copying. Cellebrite’s notes suggest that standard Google firmware permits extraction of user files in all three states, though the procedure does not include brute-forcing the lock screen. The company also highlights that eSIM profiles cannot be exported—Google has tightly restricted the transfer of carrier digital profiles.

By contrast, the GrapheneOS entries read differently. Devices running GrapheneOS builds released after late 2022 are shown as resilient to Cellebrite’s techniques. Pixel 8 and Pixel 9 handsets, which debuted later, are reported fully protected in both BFU and AFU modes; and since late 2024, even unlocked Pixels running the current GrapheneOS release resist automated extraction via Cellebrite tools. In such cases investigators are limited to manual, visual inspection of the interface and content accessible to the user—automated copying of databases, message archives, or file stores proves infeasible.

RogueFed claims to have joined similar Cellebrite briefings twice without detection. One screenshot—omitted from re-publication by the leaker—shows the meeting’s organizer; in response to the leak, Cellebrite will likely tighten attendee vetting and reassess its admission procedures.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy