Final on Nostr: If you mean state-level threats, it's not likely they'd want to target the secure ...
If you mean state-level threats, it's not likely they'd want to target the secure element unless there's a requirement to prove they aren't tampering with data in the operation. This capability is most useful for attacks with physical access. Cellebrite wants this because their tools are used with seized phones for customers to extract a forensic copy of it's data.
It is almost certain groups are researching this capability. We recommend users to use a high entropy passphrase that can't be brute forced if they believe that it could happen and if it will be used against them. Brute force also doesn't always mean secure element is exploited, MSAB's now burned stock Pixel brute force capability used a memory dump instead of secure element.
Remote exploitation may be better for intelligence agencies. GrapheneOS defence strategy puts remote exploitation as the most dangerous threat we want to protect against. Users with that risk should do due diligence on who and what apps they communicate with.
It is almost certain groups are researching this capability. We recommend users to use a high entropy passphrase that can't be brute forced if they believe that it could happen and if it will be used against them. Brute force also doesn't always mean secure element is exploited, MSAB's now burned stock Pixel brute force capability used a memory dump instead of secure element.
Remote exploitation may be better for intelligence agencies. GrapheneOS defence strategy puts remote exploitation as the most dangerous threat we want to protect against. Users with that risk should do due diligence on who and what apps they communicate with.