Cellebrite phone-cracking devices, beloved by law enforcement, are available at bargain-basement prices on eBay, so you can get a gander at all the devices that the police have presumably been able to squeeze for data.
Here’s a second-hand Cellebrite UFED device showing off its capabilities, courtesy of security researcher Matthew Hickey:
Cellebrite UFED classic exploits & functions – I got this gem at an auction – has SIM card cloning features (elite) https://t.co/xmLCgVO7iG
Hacker Fantastic (@hackerfantastic) February 11, 2019
Hickey is cofounder of training academy Hacker House. He recently told Forbes that he’d picked up a dozen Cellebrite UFED devices for dirt cheap and probed them for data, which he found… in spades.
What surprised Hickey was that nobody bothered to wipe these things before dumping them onto eBay, he told Forbes:
You’d think a forensics device used by law enforcement would be wiped before resale. The sheer volume of these units appearing online is indicative that some may not be renewing Cellebrite and disposing of the units elsewhere.
Yes, you would think that a very expensive forensics device such as Cellebrite’s UFED – reportedly, brand-new models start at $6,000 – that’s used by law enforcement to crack the encryption on (older) iPhone models, as well as on phones from Samsung, LG, ZTE and Motorola, would be wiped before resale… on eBay, for prices starting at $100.
Forbes reports that these valuable devices, for which US federal agencies including the FBI and Immigration and Customs Enforcement (ICE) have been paying millions of dollars, can be found, used, on sale for between $100 and $1,000 a unit.
Some Cellebrite history
Cellebrite got a lot of attention during the FBI vs. Apple encryption battle, which got particularly loud after the San Bernardino terrorist attacks. We never found out for sure what tool the FBI used to break into the terrorist’s iPhone, though it was reported that Cellebrite offered to do the cracking.
Regardless of Cellebrite’s role or lack thereof in the San Bernardino iPhone cracking case, its forensics devices have been used to break into a whole lot of mobile phones.
What’s on these bargain-bin babies?
When Hickey probed the UFED devices for data earlier this month, he discovered that they contained information on what devices they’d been used to search, when they were searched, and what kinds of data they got at. Forbes reports that mobile identifier numbers, like the IMEI code, were also retrievable.
Hickey says he also found what looked like Wi-Fi passwords left behind on the UFEDs. They could have been those of the police agencies that used the devices, or perhaps they were those of independent investigators or business auditors, Forbes suggested.
There could be other, far more valuable data on the devices. Hickey hasn’t had success at extracting any of the software vulnerabilities that Cellebrite uses to slip past Apple and Google’s protections… yet. The encrypted keys to do so should be extractable, though.
Why are the UFEDs available now?
That’s an easy one: they’re available now because there are new models out, with updated software. As of a year ago, Cellebrite could reportedly crack every iPhone up to the then-latest version of iOS, 11.2.6.
”Fairly poor” security on the units
Hickey managed to get the residual data left on the older model UFEDs by retrieving admin account passwords for the devices and taking them over: something he could do because their security was “fairly poor,” he said. He also found it simple to crack the devices’ license controls by relying on guides he found on online Turkish forums.
A hacker with chops could get up to plenty of no-good that way. From Forbes:
A skilled hacker could unleash the device to break into iPhones or other smartphones using the same information, [Hickey] said. A malicious attacker could also modify a unit to falsify evidence or even reverse the forensics process and create a phone capable of hacking the Cellebrite tech, Hickey warned.
Cellebrite is not amused
Sources from the forensics industry showed Forbes a letter from Cellebrite in which it warned customers about reselling its hacking devices, given that they can be used to access individuals’ private data.
The UFEDs should be returned to Cellebrite so they can be properly decommissioned, but it’s looking like police, and/or others who’ve possessed the devices, are putting them up for sale to anybody and everybody, regardless of the fact that they haven’t been wiped clean of the sensitive data they contain.
Forbes reports that cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result of the unwiped gadgets being put up on the auction block.
But as far as Hickey is concerned, his second-hand Cellebrite kit has a higher calling in store: he’s planning to rig them up to run the shooter classic Doom:
Hacker Fantastic (@hackerfantastic) February 12, 2019