from the just-in-case-you-forget-your-password dept.
Phone-Hacking Tool Law Agencies Use Cost Just $100 on eBay
When smartphone companies refuse to help law enforcement agencies access encrypted devices, investigators often turn to companies like Cellebrite, which offers its Universal Forensic Extraction Device (UFED) to help them hack the phone in question to access secure data The problem? This week, Forbes reported that UFEDs--which normally cost between $5,000 and $15,000--can now be bought on eBay for as little as $100.
In addition to letting anyone with a likeness of Benjamin Franklin break into other people's devices, these used UFEDs were also found to contain data from previous investigations.
Forbes said Hacker House co-founder Matthew Hickey bought a dozen UFEDs to see what secrets they might contain. He reportedly found that the "secondhand kit contained information on what devices were searched, when they were searched and what kinds of data were removed," as well as the searched phones' IMEI (international mobile equipment identity) codes.
Related: Washington Post: The FBI Paid "Gray Hat(s)", Not Cellebrite, for iPhone Unlock
Meeting Cellebrite - Israel's Master Phone Crackers
Cellebrite Appears to Have Been Hacked
Federal Court Rules That the FBI Does Not Have to Disclose Name of iPhone Hacking Vendor
Related Stories
The Washington Post reports that the FBI did not require the services of Israeli firm Cellebrite to hack a San Bernardino terrorist's iPhone. Instead, it paid a one-time fee to a group of hackers and security researchers, at least one of whom the paper labels a "gray hat". It's also reported that the U.S. government has not decided whether or not to disclose to Apple the previously unknown vulnerability (or vulnerabilities) used to unlock the iPhone (specifically an iPhone 5C running iOS 9):
The FBI cracked a San Bernardino terrorist's phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter. The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
[...] The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said. The U.S. government now has to weigh whether to disclose the flaws to Apple, a decision that probably will be made by a White House-led group.
FBI Director James Comey told students at Catholic University's Columbus School of Law that "Apple is not a demon," and "I hope people don't perceive the FBI as a demon." What a saint.
BBC technology correspondent Rory Cellan-Jones has met with representatives of the Israeli company Cellebrite, which helps police forces gain access to the data on the mobile phones of suspected criminals. They were rumoured to have aided the FBI in gaining access to the iPhone used by the San Bernardino shooter (though some reports contradict this). From the article:
It's an Israeli company that helps police forces gain access to data on the mobile phones of suspected criminals.
Cellebrite was in the headlines earlier this year when it was rumoured to have helped the FBI to crack an iPhone used by the San Bernardino shooter.
Now the company has told the BBC that it can get through the defences of just about any modern smartphone. But the firm refuses to say whether it supplies its technology to the police forces of repressive regimes.
[...] Mr Ben-Moshe claimed that his firm could access data on "the largest number of devices that are out there in the industry".
Even Apple's new iPhone 7?
"We can definitely extract data from an iPhone 7 as well - the question is what data."
He said that Cellebrite had the biggest research and development team in the sector, constantly working to catch up with the new technology.
He was cagey about how much data could be extracted from services such as WhatsApp - "It's not a black/white yes/no answer" - but indicated that criminals might be fooling themselves if they thought any form of mobile communication was totally secure.
According to the New York Post:
Cellebrite, an Israeli firm that supplies "forensics tools" to agencies around the world, including US law enforcement, appears to have suffered a serious hack. Motherboard claims to have 900GB of Cellebrite data, supplied to it by an anonymous hacker. Among other things, the data reportedly shows that the Israeli firm has been selling its technology to regimes known for their human rights abuses, including Turkey, the United Arab Emirates and Russia.
According to Motherboard:
The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies.
Cellebrite is an Israeli company whose main product, a typically laptop-sized device called the Universal Forensic Extraction Device (UFED), can rip data from thousands of different models of mobile phones. That data can include SMS messages, emails, call logs, and much more, as long as the UFED user is in physical possession of the phone.
New York Post Again:
Cellebrite is best known for its rumored involvement in helping the FBI crack the San Bernandino shooter's iPhone, as Apple fought an order to assist through the courts. In addition to helping the FBI in that case, Cellebrite sells forensics devices and software to dozens of US law enforcement agencies and police departments.
The FBI will not have to disclose the name of the vendor that it paid to hack into an iPhone used by one of the San Bernardino terrorists:
A federal court ruled yesterday that the FBI does not have to disclose either the name of the vendor used or price the government paid to hack into the iPhone SE of mass shooter Syed Farook, according to ZDNet. The device became embroiled in a heated national controversy and legal standoff last year when Apple refused to help the FBI develop a backdoor into it for the purpose of obtaining sensitive information on Farook and his wife Tashfeen Malik, both of whom participated in the terrorist attack that left 14 dead in San Bernardino, California in December 2015.
The Justice Department originally filed a lawsuit against Apple to compel it to participate by creating a special version of its mobile operating system, something Apple was vehemently against because of the risk such a tool posed to users. But very soon after, the government withdrew from the case when a third-party vendor secretly demonstrated to the FBI a workable method to bypass the iPhone's security system. Three news organizations — the Associated Press, Vice News, and USA Today — filed a Freedom of Information Act lawsuit in September 2016 to reveal details of the hacking method used. Because it was not clear how many phones the workaround could be used on, and whether the FBI could use it surreptitiously in the future, the lawsuit was seeking information that would be pertinent to the public and security researchers around the globe.
Previously: Washington Post: The FBI Paid "Gray Hat(s)", Not Cellebrite, for iPhone Unlock
FBI Can't Say How It Hacked IPhone 5C
Meeting Cellebrite - Israel's Master Phone Crackers
Cellebrite Appears to Have Been Hacked
Senator Dianne Feinstein Claims That the FBI Paid $900,000 to Break Into a Locked iPhone
Related: FBI Resists Revealing its Tor User Identification Methods in Court
(Score: 0) by Anonymous Coward on Sunday March 03 2019, @04:06AM (1 child)
No reason to give the state any advantage over the rest of us.
(Score: 2) by jb on Monday March 04 2019, @02:57AM
Quite right.
Excuse me if I've missed something obvious (which is quite possible, since I've lived in America), but it occurs to me that, given the USA classifies cryptographic tools as "munitions", shouldn't it be just fine & dandy for anyone to own them, by virtue of the second amendment?
(Score: 1, Redundant) by MichaelDavidCrawford on Sunday March 03 2019, @04:14AM (4 children)
You say that like it's a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by takyon on Sunday March 03 2019, @04:25AM (3 children)
We said no such thing, Crawforbes.
Actually it is bad because all the devices got bought up or removed. Thanks, F****s.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by Runaway1956 on Sunday March 03 2019, @05:13AM (2 children)
I came to say something similar. Electronic security of any kind is an arms race. Our second amendment intended that the citizens have access to the same weapons that government uses against them. IMO, that second amendment guarantees the right of private citizens to access these weapons. A hundred dollars a pop? OK, so the poorest of the dirt poor can't access them - but they can't buy a reliable firearm either. Everyone else can get one if they scrimp and save. People in the middle class don't even have to scrimp and save. Actually, that sounds about right!
But wait - wut did you say? THEY'RE ALL GONE?! THAT SUCKS!! Well, I hate doing business with Wal-mart or Amazon, but I'll check them both. Have you looked at Home Depot?
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2, Insightful) by Ethanol-fueled on Sunday March 03 2019, @07:48AM
Well gee whiz, an Israeli company in the only nation that gets an unredacted stream of NSA data is somehow really good at finding backdoors in everything.
(Score: 0) by Anonymous Coward on Sunday March 03 2019, @05:29PM
"Electronic security of any kind is an arms race"
and if it's not open-source you $ELL to both sides!
(Score: 2) by linkdude64 on Sunday March 03 2019, @10:20AM (2 children)
I'm missing something here. The obvious joke went over my head, or something. Are they saying Ben Franklin was a police officer?...or an incompetent CIA agent?...or is this a $100 bill joke?
Ben Franklin was an amazing inventor, writer, and philosopher. Every time I see a person wearing bifocals or notice a lightning rod I think to myself, "Thanks, Ben Franklin."
(Score: 4, Funny) by realDonaldTrump on Sunday March 03 2019, @11:48AM (1 child)
It means a hundred dollars. It's a low class way of saying that. When you're hiring someone, you ask "how much for an hour?" Right? I'll tell you, if she starts talking about Benjamins, she calls it Benjamins, maybe that's someone you don't want to hire. Somebody with NO CLASS. And maybe you hire her anyway, right? Be careful with that one. Or you'll be sorry when you go to the Doctor!!!
(Score: 2) by linkdude64 on Sunday March 03 2019, @11:08PM
NOW it makes sense! Laughed and +1'd.
I see where my disconnect was now - in "anyone with a likeness of Ben Franklin" I took the word likeness as meaning appearance.
(Score: 0) by Anonymous Coward on Sunday March 03 2019, @08:37PM
So cool story bro, old equipment is available on ebay. But now its national news and they'll start destroying it. No longer will you have a chance to see how these devices work because some "hacker" wanted his 5 minutes of fame. Who's side is he on again?