When eBay merchant Mr. Balaj was looking through a pile of hi-fi junk at an auction in the U.K., he came across an odd-looking device. Easily mistaken for a child’s tablet, it had the word “Cellebrite” written on it. To Mr. Balaj, it appeared to be a worthless piece of electronic flotsam, so he left it in his garage to gather dust for eight months.
But recently he’s learned just what he had his hands on: a valuable, Israeli-made piece of technology called the Cellebrite UFED. It’s used by police around the world to break open iPhones, Androids and other modern mobiles to extract data. The U.S. federal government, from the FBI to Immigration and Customs Enforcement, has been handing millions to Cellebrite to break into Apple and Google smartphones. Mr. Balaj (Forbes agreed not to publish his first name at his request) and others on eBay are now acquiring and trading Cellebrite systems for between $100 and $1,000 a unit. Comparable, brand-new Cellebrite tools start at $6,000.
Cellebrite isn’t happy about those secondhand sales. On Tuesday, two sources from the forensics industry passed Forbes a letter from Cellebrite warning customers about reselling its hugely popular hacking devices because they could be used to access individuals’ private data. Rather than return the UFEDs to Cellebrite so they can be properly decommissioned, it appears police or other individuals who’ve acquired the machines are flogging them and failing to properly wipe them. Cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result.
Earlier this month, Matthew Hickey, a cybersecurity researcher and cofounder of training academy Hacker House, bought a dozen UFED devices and probed them for data. He discovered that the secondhand kit contained information on what devices were searched, when they were searched and what kinds of data were removed. Mobile identifier numbers like the IMEI code were also retrievable.
Hickey believes he could have extracted more personal information, such as contact lists or chats, though he decided not to delve into such data. “I would feel a little awful if there was a picture of a crime scene or something,” he said. But using the information within a UFED, Hickey believes a malicious hacker could identify the suspects and their relevant cases.
In one screenshot provided by Hickey to Forbes, the previous UFED user had raided phones from Samsung, LG, ZTE and Motorola. Hickey had tested it on old iPhone and an iPod models with success.
Cellebrite hasn’t returned repeated emails from Forbes seeking comment over the last two weeks.
Rooting out Cellebrite’s secrets
The tools may also contain the software vulnerabilities Cellebrite keeps secret from the likes of Apple and Google, said Hickey. Cellebrite’s exploits (little software programs that break the security of computers and mobile phones) were encrypted, but the keys should be extractable from the UFED, though Hickey hasn’t had success on the tools he bought.
As Forbes reported in March last year, Cellebrite had become so adept at finding iOS flaws that it was able to crack the passcodes of the latest Apple models, up to the iPhone X. But the forensics provider is in a race to find flaws before Apple patches them and the hacks become impossible. The company explained to Forbes that it had to keep those exploits secret so Apple couldn’t fix and prevent police from accessing iPhones.
Looking deeper, Hickey found what appeared to be Wi-Fi passwords left on the UFEDs too. They could have belonged either to police agencies or to other private entities that had access to the devices, such as independent investigators or business auditors.
Reselling police data
There’s one obvious reason the Cellebrite devices have started appearing online: There are newer models of UFED being released with fresh software. But Hickey was concerned to find leftover forensics data.
“You’d think a forensics device used by law enforcement would be wiped before resale. The sheer volume of these units appearing online is indicative that some may not be renewing Cellebrite and disposing of the units elsewhere,” Hickey told Forbes.
“Units are intended to be returned to vendor precisely for this reason, people ignoring that risk information on the units being available to third parties.”
Hackable hacking kit
Hickey said security on the units was “fairly poor.” In particular, he was able to find out the admin account passwords for the devices and take control of them. Cracking the devices’ license controls was also simple, using guides found on online Turkish forums. A skilled hacker could unleash the device to break into iPhones or other smartphones using the same information, he said. A malicious attacker could also modify a unit to falsify evidence or even reverse the forensics process and create a phone capable of hacking the Cellebrite tech, Hickey warned.
Despite concerns about the security of critical law enforcement devices, Hickey at least plans to do something fun with his purchases. For some upcoming hacker parties, he’s going to alter them to run the shoot-’em-up classic Doom. Others have already started playing.