Your phone is, for all practical purposes, your most intimate possession. It holds your conversations, your contacts, your movements, your photos, and often the internal communication of every organization you belong to. When a phone is seized and unlocked by authorities, or by anyone else with the right tools, it is the privacy of every person you have ever communicated with that gets violated.

This post provides an overview of the commercial phone unlocking industry, explains at a high level how these tools work, and offers concrete defensive strategies for individuals and communities.

A booming and unregulated market

The use of forensic phone unlocking tools by law enforcement and other actors is incredibly common. Several companies compete in this space, and the market is almost entirely unregulated. While spyware tools designed to remotely infect a device are at least nominally subject to export controls (controls that consistently fail in practice), forensic unlocking tools are not even covered by that much. The companies that build phone unlocking tools have successfully avoided being classified as dual-use technologies, despite the obvious implications for human rights.

The major commercially available players include Cellebrite, Magnet Forensics (which markets the GrayKey device), and Oxygen Forensics. Among these, Cellebrite and GrayKey stand out because they actively acquire and deploy zero-day vulnerabilities to bypass device security.

Licenses are relatively cheap, especially in relation to the capabilities these tools provide. They are well within reach of local police departments, private investigators, and in some documented cases, phone repair shops and consultants operating with even less oversight.

As Osservatorio Nessuno recently documented, abuses of this technology is occurring even for minor infractions or investigations. It is also routinely used at borders and on vulnerable people, including in the Eueopean Union. Amnesty International has documented similar abuses in Serbia, where Cellebrite tools were used to target journalists and activists.

How phone unlocking works

It helps to distinguish between two related but different operations: unlocking and extraction. Unlocking means gaining access to a device, typically by bypassing or recovering the PIN or password. Extraction means making a forensic copy of the device’s data – its file system, applications, messages, and metadata. In practice, unlocking is usually required before a full extraction can take place.

Modern smartphones encrypt their storage. The strength of that encryption, and how difficult it is to bypass, depends heavily on two factors: the state of the device and the hardware it runs on.

A device that has never been unlocked since it was powered on is in a state known as “Before First Unlock” (BFU). In this state, most user data is encrypted with keys that are derived from the user’s passcode and protected by dedicated security hardware. Attacking a device in BFU state is significantly harder and more expensive. A device that has been unlocked at least once since boot is in “After First Unlock” (AFU) state. In AFU, many decryption keys are already loaded into memory, and the lock screen is effectively a user interface overlay rather than a cryptographic barrier. This is why the single most important defensive action, when a device might be seized, is to turn it off.

Flagship devices like Google Pixels include a dedicated secure element (Google’s Titan chip) that stores cryptographic keys in dedicated hardware and enforces rate-limiting on passcode attempts. Most budget and mid-range phones, particularly those running MediaTek chipsets, lack this protection entirely. Many MediaTek processors are vulnerable to known boot ROM exploits that compromise the entire chain of trust and cannot be patched. For these devices, even a long password may ultimately be defeated through offline brute-forcing.

According to Cellebrite’s own February 2025 support documentation, nearly all non-Pixel, non-Samsung devices are considered unlockable. Even among Samsung and Pixel devices, the level of protection varies significantly depending on the chipset, the Android version, and the security patch level.

Defenses that could exist but don’t (yet)

One of the most effective mitigations against forensic phone unlocking is remarkably simple: automatically rebooting the device after a period of inactivity, returning it to the BFU state. GrapheneOS, the security-focused Android distribution, has implemented this feature for years. Apple introduced a version of it for iOS. However, stock Android, which runs on the vast majority of devices worldwide, has been slow to adopt it. Google has made some progress with Android 15, but the implementation remains fairly limited, since Google has chosen to set the reboot timeout at 72 hours, likely as a compromise with authorities.

Similarly, USB port restrictions, such as disabling data transfer over USB when a device is locked, are a powerful mitigation against the physical exploitation techniques that forensic tools rely on. Both Android 15 and iOS offer versions of this feature.

Encrypt, then minimize

Encryption is essential, but it is not sufficient. What we learned from analyzing forensic unlocking capabilities is this: recovering long deleted data is harder than recovering encrypted data. If an exploit is found that defeats your device’s encryption, everything stored on the device is exposed. However, data that has been deleted for some time might not be as easy to extract.

This has direct implications for how communities should think about operational security. The most impactful single measure any group can adopt is to enable disappearing messages on every messaging application, for every conversation, all the time. Signal, WhatsApp, and other major messaging platforms all support disappearing messages with configurable timers. For groups handling sensitive communications, shorter timers provide stronger protection.

This “encrypt, then minimize” approach acknowledges a straightforward truth: you or someone in your community will eventually have a device seized, and it is everyone’s responsibility to protect their peers.

Technical defenses for individuals

For those who want to maximize their protection against forensic unlocking tools, the following measures are effective to our knowledge based on current capabilities:

Use GrapheneOS on a Pixel device. According to Cellebrite’s own documentation, GrapheneOS on recent Pixel hardware (6a and newer) provides the strongest protection available on any Android device. A secondhand Pixel 6a running GrapheneOS is a meaningful security upgrade over almost any other Android phone.

Use a strong alphanumeric password, not a PIN. A six-digit PIN or pattern will likely always be cracked. Offline brute-forcing of numeric PINs, when the key material can be extracted, is trivially fast. An alphanumeric password of reasonable length and complexity makes this attack computationally infeasible. The password is only required after a reboot, as biometric authentication handles daily unlocking unless you are in a jurisdiction where physical coercion is possible or likely.

Turn your phone off when it might be seized. This returns the device to BFU state, where cryptographic protections are the most solid. It is the single most impactful action in the moment.

Restrict USB access. On Android 15 and later, disable or restrict USB data transfer when the device is locked. On iOS, enable USB Restricted Mode. On both platforms, enable Lockdown Mode or Advanced Protection where available.

Enable auto-reboot. GrapheneOS allows configuring automatic reboots after a set period without unlocking. This ensures that a seized device returns to BFU state even if the owner was unable to power it off. If You have GrapheneOS or the timer is configurable, consider either keeping it low, or lowering it (e.g.: 1-2 hours) before participating in an action or event which could result in seizure.

Use application-level encryption. Applications like Signal and many password managers offer their own encryption layer with a separate password. Enabling this provides an additional barrier if all other defenses fail.

If you have an unlocked bootloader, almost none of these measures apply, as the device’s chain of trust is already broken.

After a compromise

If a device has been seized and returned, the following steps are suggested. Reset all passwords from a separate, trusted device. Log out of all sessions on every service. Run the Mobile Verification Toolkit (MVT) to check for indicators of compromise, and share the results with a trusted technical contact. At minimum, factory reset the device; ideally, replace it entirely. Alert your contacts that their communications have been exposed.

A broader challenge

The forensic phone unlocking market operates in a regulatory vacuum. These tools are not classified as weapons, are not subject to meaningful export controls, and are sold to a customer base that extends well beyond law enforcement. As Osservatorio Nessuno has described in detail, the companies involved in this market are active participants in the zero-day vulnerability trade, purchasing and stockpiling security flaws rather than reporting them. This practice weakens the security of every device, for every user, everywhere.

The technical defenses outlined above are generally effective, but they are individual mitigations against a structural problem.

This blogpost summarises the ‘tech dive’ delivered by Osservatorio Nessuno to the members of the Public Interest Technology Group. For a more detailed technical analysis, see the full research series on osservatorionessuno.org.

Osservatorio Nessuno is an Italian non-profit dedicated to defending privacy, anonymity, freedom of expression, and digital rights. Founded in 2021, the group operates Tor infrastructure, provides technical assistance to activists and journalists, develops open-source security tools, and conducts analysis and reverse engineering of surveillance technologies.

If you are an activist or journalist concerned about the security of your devices, or if your device has been seized and you need technical assistance, contact Osservatorio Nessuno via their contacts page.