Revealed: Israeli Firm Provided Phone-hacking Services to Saudi Arabia

A representative of Cellebrite, which states that it has complied with the rules, flew to Riyadh from London last November, and at the request of the Saudi prosecutor’s office hacked into a Samsung cellphone

A banner showing Saudi King Salman, right, and his Crown Prince Mohammed bin Salman in Jeddah, Saudi Arabia
Amr Nabil,AP

In November of last year, a representative of the Israeli firm Cellebrite landed at King Khaled International Airport in the Saudi capital, Riyadh. The man, a foreign national whose identity is known to TheMarker, Haaretz’s sister publication, arrived on a commercial flight from London to hack into a phone in the possession of the Saudi Justice Ministry. The details of the visit were agreed upon before the hacker landed. 

UPDATE: Israeli phone-hacking firm Cellebrite halts Hong Kong deal with China

The staff at Cellebrite demanded of the Saudis that their employee be met at the Riyadh airport by a government representative. They insisted that he pass through passport control without his passport being stamped and without an inspection of the electronic equipment that he would have with him, which they demanded would not leave his possession and only which he would use. 

From there, it was agreed in advance that the hacker would be immediately taken to an isolated hotel room, where the Saudis committed not to install cameras – and where the job of hacking and copying information from a mobile cellphone was carried out. When the work was completed, Cellebrite’s representative returned to the airport and flew back to London.

Cellebrite is not the only Israeli company to provide hacking or other cybersecurity services to the Saudi kingdom, but it is apparently the only one that does so without any oversight from the Israeli Defense Ministry.

It was recently disclosed that Cellebrite has not been registered as a security-related exporter, as the law requires, due to what they claim is the non-defense nature of their phone-hacking hardware. As a result, the Israeli firm and its gear is not subject to the supervision of the Defense Ministry’s Defense Export Control Agency – due to what has been described by critics as a failing on the company’s part, and possibly of the Defense Ministry as well.

Cellebrite, which said that it serves police and security forces in 150 countries, has been classified up to now as an exporter of dual-use civilian services under the supervision of the Economy Ministry. In August, following allegations regarding services that it provided to the Hong Kong police as part of its crackdown on pro-democracy protesters, the Economy Ministry said it was not responsible for overseeing any services that the company provides to police forces – shifting responsibility for that to the Defense Ministry. For its part, the Defense Ministry refuses to comment on the question of why Cellebrite has not been required to register as a defense exporter.

In a response for this article, Celebrite said that it provides its technology “to authorized agencies only” and applies “a range of tools dictating the manner in which they can be used.”

Breaking Samsung 

One of the models in Cellebrite’s Universal Forensic Extraction Device product line.
Courtesy

Cellebrite developed the UFED extraction system, which can serve civilian needs such as backing up software on smartphones, but can also be used for military and homeland security-related needs, such as investigations. The company’s technology not only makes it possible to hack into smartphones and to copy all of the information on them – including correspondence, location histories, sound files, videos and pictures. It also can reconstruct information that has been deleted from a device. 

Unlike the technology of several other Israeli companies that have also worked in Saudi Arabia, this doesn’t involve remote hacking. It’s used to extract information from devices that are in its clients’ physical possession.

In the case that TheMarker learned of, a Samsung S10 phone was hacked at the request of the general prosecutor’s office in Riyadh. TheMarker does not know who owned the phone, and it is doubtful that Cellebrite knew either. As far as is known, Cellebrite did not delve into who was the original owner of the phone, but it did condition its service on a Saudi commitment that the possession of the phone and hacking into it were legal, at least according to Saudi law. 

However, when Cellebrite provided its service, the nature of the regime of Saudi Crown Prince Mohammed bin Salman, who in large measure in recent years has decided what Saudi law is and how it is enforced, was already a well-known fact, raising questions about the practice.  

The U.S. administration under President Donald Trump and his allies, including Israel, have done much to deflect the questions raised by the persecution, arrests and sometimes even evidence of the torture of opponents of Prince Mohammed’s regime. At the end of 2018, following the assassination in Turkey of Jamal Khashoggi, an opponent of the regime, defending Riyadh became harder. 

As was known at the time that Cellebrite supplied its service to the Saudis, a group of about 15 people who were loyal to the crown prince killed Khashoggi, a Saudi national living in exile, and dismembered his body. His body was then disposed of in an operation carried out at the Saudi consulate in Istanbul.

Israeli connections

Following the affair, the spotlight was directed at another offensive firm operation originating in Israel. A close associate of Khashoggi’s and the Toronto-based Citizens Lab claimed that the associate’s cellphone had been hacked and pointed an accusing finger at the Israeli firm NSO, which provided remote cellphone hacking services to Crown Prince Mohammed’s regime. NSO denied allegations of its involvement in the assassination but continued to provide the service to the Saudis. 

Cellebrite CEO Yossi Carmil.
Coutesy

In October 2019, about a year after Khashoggi was killed and while Cellebrite was in contacts with the Saudis about the hacking operation, the details of which are being reported here for the first time, the Israeli Ynet news website published an interview with Cellebrite’s CEO, Yossi Carmil. 

When Carmil was asked about the ethical differences between the services provided by NSO and Cellebrite, he expressed outrage at the comparison, saying that his worked in the law-enforcement sector, “which is very limited in its authority, unlike the world of the clients of NSO and others, where illegal things as well as covert things are done. Cellebrite is entirely in the good zone, with judicial orders. We don’t create hacking devices for private entities or espionage agencies.”

From the FBI to Lukashenko

Cellebrite was established in 1999. Early on, it focused on backing up and synchronizing data between phones. In 2007, it was sold to Sun Corporation of Japan for $17 million. It has maintained its Israeli operation, based in its offices in the Tel Aviv suburb of Petah Tikva, where it employs a staff of several hundred. In the period when it was sold to the Japanese firm, Cellebrite began focusing on the field known as mobile forensics.

As long as it marketed its products to responsible customers, they were also used for proper purposes, such as solving crimes and counter-terrorism. In 2016, the company attracted worldwide attention after it helped the FBI in the United States hack into the iPhone of the terrorist who shot up the Inland Regional Center in San Bernardino, California, killing 14 people. 

The hacking operation, for which the FBI reportedly paid $900,000, spared the law enforcement agency the need to continue pursuing highly publicized legal proceedings that sought to force the iPhone’s manufacturer, Apple, to give the FBI access to the data on the device. 

Police in Minsk, the Belarus capital
AFP

Recently, Haaretz reported that Cellebrite had marketed its services to two regimes that have faced political protests and have violently attempted to suppress them – Belarus and Hong Kong. In Belarus, the country’s dictator, Alexander Lukashenko, has been dealing with mass demonstrations over claims of election fraud in last month’s election and demands for regime change. Thousands of activists, including protest leaders, have been arrested in the authorities’ attempts to halt the demonstrations. Some of the leadership has been forced to leave the country.

In the case of Hong Kong, as part China’s exertion of greater control over the territory, which has included the trampling of freedom of political expression, a security law was enacted which in part defines basic protest activities as terrorism. 

Cellebrite supplied services to the Hong Kong police before that, but the company’s technology has continued to serve the police force even when it confiscated the phones of thousands of detained protesters. Some of the phones were hacked using Cellebrite’s technology, including the phone of one protest leader, Joshua Wong, as is reflected in documents attached to a court petition recently filed in Israel by attorney Eitay Mack. 

In August, Mack approached the Foreign Trade Administration at the Economy Ministry, which oversees Cellebrite’s operations, seeking to halt the export to Hong Kong. The director of the Foreign Trade Administration, Ohad Cohen, issued a surprising response that revealed that the “civilian” company’s operations were not subject to oversight. 

“The exported goods are destined for an end user that is a police force or security force, and therefore by law, the authority to monitor these goods is that of the Defense Ministry,” he replied. On the other hand, neither the company nor the Defense Ministry have even tried claiming that the company is subject to any such oversight.

Mack and about 60 Israeli human rights activists filed an administrative petition in Tel Aviv District Court seeking to get the Defense Ministry to begin supervising Cellebrite and ordering the company to refrain from providing service to the Hong Kong government. 

In its response for this article, Cellebrite said that it develops technology that “assists law enforcement agencies to collect digital evidence and expedite complex investigations in accordance with the law.”

“Our technology serves 154 countries and has made convictions possible in more than 5 million cases of serious crime, such as murder, rape, human trafficking and pedophilia. We do not provide information about our clients and their activities. We provide our solutions to authorized agencies only and apply a range of tools dictating the manner in which they can be used. In addition, we work subject to clear policy and accepted international rules to prevent a business relationship with agencies subject to international restrictions.”

The Defense Ministry said in response that “it does not reveal information regarding defense export policy and does not comment on specific licenses or specific cases of those registered as exporters, due to defense, diplomatic and strategic considerations.”