Last year, when the F.B.I procured a court order forcing Apple to unlock an iPhone belonging to one of the San Bernardino shooters, C.E.O. Tim Cook refused, sparking a months-long battle between the tech behemoth and the federal government. Building a back-door would set a “dangerous precedent” and compromise the security of the iPhone, Cook argued in a public letter. After a tense showdown, the F.B.I. withdrew its case when it reportedly found another way to break into the iPhone: a private Israeli security firm called Cellebrite, which specializes in data extraction and had teamed up with the F.B.I. before. Cellebrite has received more than $2 million in purchase orders from the F.B.I. over the past four years.
Now, it appears Cook may have been right to worry about the iPhone’s security. A new report from Motherboard says Cellebrite has been hacked, and its data—including highly confidential customer information, databases, and technical details about Cellebrite’s products—has been stolen. The same technology built by Cellebrite to allow the F.B.I. to unlock iPhones could now be sold to the highest bidder.
In a statement Thursday released after Motherboard’s report, Cellebrite confirmed that its security had been breached. “Cellebrite recently experienced unauthorized access to an external web server,” the firm said. “The company is conducting an investigation to determine the extent of the breach. … Presently, it is known that the information accessed includes basic contact information of users registered for alerts or notifications on Cellebrite products and hashed passwords for users who have not yet migrated to the new system.”
The hacker who claims to have broken into Cellebrite’s server appeared to have other reasons for targeting the Israeli company, however. Motherboard that reports while Cellebrite’s technology is popular with domestic law-enforcement agencies, the stolen data also indicates its services have been sold to authoritarian regimes in countries including Turkey, Russia, and the United Arab Emirates. Cellebrite’s main forensics product, the Universal Forensic Extraction Device (U.F.E.D.), can collect all manner of data from cell phones—including text messages, e-mails, and more—all without the need for passwords. The person with the U.F.E.D. just needs to be in physical possession of the cell phone for the technology to work. Motherboard reports that the hacker “expressed disdain for recent changes in surveillance legislation,” adding that “had it not been for the recent stance taken by Western governments, no one would have known but us.”
Human rights and technology experts have expressed concern over the use of similar tools by authoritarian regimes to squash dissent . Last year, Cellebrite technology was used to prosecute a political dissident in Bahrain. “While products like those of Cellebrite can have legitimate use in forensic acquisitions, and while we shouldn't demonize the technology behind them, there is always a concern that in countries where basic freedoms are regularly quashed and where we see a systematic abuse of technology to suppress dissent, these same solutions might become tools in the hands of oppressors,”
Source: Vanity Fair