Activists in Israel and the U.K. have demanded that their local law enforcement agencies stop using the phone hacking technology sold by Israeli digital intelligence firm Cellebrite.
Cellebrite's flagship product is the UFED (Universal Forensic Extraction Device). It allows law enforcement agencies to extract data from locked mobile phones already in their physical passion. Cellebrite, which recently announced it was going public, works with law enforcement agencies and has a long list of clients – including regimes with shady human rights records. For example, until this year, the company's system was sold to China, who used it against pro-democracy activists in Hong Kong. Last month, Cellebrite announced it would also halt sales of its technology to Russia and Belarus.
Last week, the founder of Signal, considered the world's most encrypted mobile phone messaging app, revealed he had managed to hack into Cellebrite's UFED software. He made the announcement in a blog post some two months after Cellebrite said it had managed to crack Signal's app – not its actual encryption, considered the safest in the world, but rather only access to it the app itself on a phone already in their possession.
Among the flaws revealed by Signal's Moxie Marlinspike last week was one that allowed potential hackers not just access to Cellebrtie's software, but also to manipulate the data it stores.
The exploit makes it possible to change the evidence collected via Cellebrite, a potentially devastating ramification for the company selling its wares to law enforcement agencies.
Marlinspike explained that as the Israeli tech extracts all the information it can from a phone, it is possible to also infect the UFED with a virus preinstalled on the phone. Signal, he said, would include such a program in its next update so that any future attempt to extract data from a phone with Signal on it by Cellebrite's technology would lead to the UFED being infected itself.
On Sunday, Eitay Mack, a human rights lawyer focused on Israeli tech exports, filed a letter with Israel's attorney general demanding Israeli police stop using the Cellebrite. The letter, also sent to the Israel Police, the police investigation unit and the military prosecutor, urged them all to freeze usage of the UFED "until an investigation into its efficiency and reliability is completed."
- ‘It fell off the truck’: Encrypted message app Signal gets revenge on Israel’s Cellebrite
- Israeli phone-hacking firm Cellebrite halts sales to Russia, Belarus in wake of Haaretz report
- Israeli Cellebrite sold spy-tech to Bangladesh ‘death squad’
According to his letter, the police as well as the police's internal investigation unit (which in Israel is overseen by the Justice Ministry) have worked with Cellebrite without a proper bidding process since 2016. "In August 2020, [the latter] requested to extend its ties with Cellebrite as its exclusive supplier and purchase another device for use by the unit's southern branch," he wrote.
The request, he wrote, was confirmed, and therefore "I request a thorough and exhaustive examination of the reliability of the UFED and that until the inquiry is complete that all ties with Cellebrite be frozen."
He also urged Israeli authorities to "avoid filing evidence in court that was collected" through Cellebrite's device. Due process, the public's faith in the courts and even the right to the presumption of innocence all hang in the balance, he added.
Meanwhile, similar calls were being made in the U.K., where Cellebrite's technology is also used. Among the flaws found in Cellebrite's software by Signal was a string of code that they said belonged to Apple in a possibly devastating copyright infringement.
In a letter to the Scottish government, the Open Rights Group said that together, “the fact that these technologies are buggy and appear to disregard software licenses of other vendors should concern the police. It points to short cuts in product development."
The statement, published by the independent journalism collective in Scotland called The Ferret, said the rights group has "asked Police Scotland … to explain what procedures they have for assessing such software for security and reliability."
- Israeli phone-hacking firm Cellebrite vowed not to sell to sanctioned countries. So what's it doing in Belarus?
- Hacking Grindr? Israel’s Cellebrite sold phone-hacking tech to Indonesia
- Revealed: Israel's cyber-spy industry helps world dictators hunt dissidents and gays
- Revealed: Israeli firm provided phone-hacking services to Saudi Arabia
Article series: Cellebrite's phone-hacking
Open Rights Group's Heather Burns noted in the report that "while we understand that Police Scotland do not use the technology evidentially, which is the biggest area of risk, other authorities do. Police Scotland should therefore not consider extending the use of this software while these issues are unresolved.”
Reports in the U.K. have previously revealed that Cellebrite's technology is also used by London's Metropolitan Police (also known as Scotland Yard).
In response to The Ferret's report, a spokesperson said: “Police Scotland is liaising with Cellebrite and other partners to fully understand any implications this may have for the service and what mitigation measures, if any, are required.”
In response to Signal’s claims, a spokeswoman for Cellebrite told Haaretz last week that the company “constantly strive[s] to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound.”
The company vowed to work to “make sure that lawfully obtained digital evidence is utilized to pursue justice.”
"Just as they have for the last 14 years, our customers continue to place their confidence in our ability to provide accurate, secure and forensically reliable software, systems and reports," Cellebrite told Haaretz in the wake of Signal's claims.
"We are dedicated to working directly with our customers to address their digital investigation needs and stand behind their mission to accelerate justice, protect and save lives, and preserve data privacy," the company added.