Leeor Ben-Peretz, the executive vice president of the Israeli firm Cellebrite’s technology, shows devices and explains the technology developed by his company on November 9, 2016 in the Israeli city of Petah Tikva. It only takes a few seconds for an employee of Cellebrite’s technology, one of the world’s leading hacking companies, to take a locked smartphone and pull the data from it. / AFP / JACK GUEZ (Photo credit should read JACK GUEZ/AFP/Getty Images)
Cellebrite, an Israeli firm that hacks phones for law enforcement agencies the world over, has itself been breached, with 900GB of data leaked to Vice Motherboard journalist Joseph Cox. The firm confirmed the hack in a brief note to customers, noting that the target of the attack appeared to be a legacy database backup of my.Cellebrite, a portal where law enforcement could login to get updates on their forensics devices. It’s unclear whether information on historical or current investigations has been compromised.
“Presently, it is known that the information accessed includes basic contact information of users registered for alerts or notifications on Cellebrite products and hashed passwords for users who have not yet migrated to the new system. To date, the company is not aware of any specific increased risk to customers as a result of this incident; however, my.Cellebrite account holders are advised to change their passwords as a precaution,” the firm wrote in a statement.
“The company is working with relevant authorities regarding this illegal action and are assisting in their investigation.” It remains unclear just when and how Cellebrite was hacked.
Cellebrite is widely used by global law enforcement. In America, it’s considered one of the leading forensics suppliers. In particular, its UFED device is often used to quickly crack open a phone and retrieve data. I’ve tried the tool myself at a trade show in London, finding it to be an incredibly simply plug-and-play tool, with a touchscreen to choose what phone was to be hacked and what data to be drawn from specific apps.
Cellebrite was previously in the news after it was linked to the feds hack of the San Bernadino shooter’s iPhone, but was later reported to not have been the successful bidder for the FBI contract. During the trade show, the iPhone 5C was not amongst the thousands of devices it said it could unlock. More recent iPhones were also noticeably absent from the list.
Investigations ‘shouldn’t be in danger’
Heather Mahalik, a noted forensics expert who has used UFEDs and taught others how to operate them, said the leaked information should not include information on investigations as the portal was not designed to host any such data. “It’s simply a place to get your tool updates and read what’s new. So, the worst seems to be getting your username and password. Reminds me of the LinkedIn leak,” she told me.
Most users are asked to sign up with name, address, phone number, email and a username/password. “However, fake information is accepted and most people I know create fake email accounts to register for this sort of thing.
Mahalik did ponder what the hackers might have stolen from Cellebrite developers, however. Amongst Cellebrite’s most valuable intellectual property are its techniques for breaking open Apple iPhones, Google Android devices, and pretty much any mobile cell imaginable, even fakes produced in China. Going by Cellebrite’s statement, the company may have been fortunate in keeping hold of that IP.
But it is now drawing the attention of civil rights campaigners, as Cox reported that countries with questionable human rights records appeared to be customers. They included Turkey, the United Arab Emirates and Russia. Cellebrite hadn’t responded to my enquiries about anxieties around selling to such countries, where activists’ digital devices have repeatedly been targeted by the government.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.