In a report to potential customers (part of which is shown above), the mobile forensics firm, Cellebrite, claims that it can now unlock virtually any smartphone. Of course, it claims that it will only sell its unlocking technology to governments and law enforcement firms, but, the key underlying point here is that the unlocking ability exists in the first place. The rest is academic. At some point, others will figure this out, either by back-engineering Cellebrite’s technology or by figuring it out on their own. And guess what? Some of these ‘others’ will not be nice guys. They could be governments, but oppressive governments. They could be law enforcement, but corrupt law enforcement. Or they could just simply be cyber criminals looking for a way to make money by hacking smartphones.
Among Cellebrite’s tens of thousands of customers is the U.S. government. Cellebrite has been under contract to the U.S. government since 2007. As can be seen in the following chart from insidegov.com, Cellebrite has received $40.7 million for 1,308 government contracts. It is currently under contract with the Department of Homeland Security (DHS).
On the surface, many may see this as a positive development; after all, don’t we want to find out all we can about criminals who endanger the U.S.? Sure, that’s a loaded question. But, Cellebrite claims to have 60,000 contracts in 150 countries. There is little doubt that some of these countries have governments whose reputations may be less than sterling. Some may even have interests that are counter to those of the U.S. As the company notes. “by enabling access, sharing and analysis of digital data from mobile devices, social media, cloud, computer and other sources, Cellebrite products, solutions, services and training help customers build the strongest cases quickly, even in the most complex situations.” That’s fine, if these cases are against dangerous operatives, but, in some countries, dangerous operatives may include anyone who opposes the government.
So how does Cellebrite control who gets access to its technology? If you want to extract information from a locked device, you must fill out a form on their website. Although I assume there must be restrictions on who can use their technology, I could find no information on this on their site. The form on their site gives no clues.
I could, for example, find no countries that were excluded from such requests, including North Korea, Iran, and China. The contract (EULA) for use of the software only notes that necessary laws must be followed and that those in the U.S. cannot export the software to countries under sanctions. However, there is no mention of which countries should not bother to contact Cellebrite directly. There is no mention of ethical considerations that should be kept in mind when using their technology. Besides a phone conversation with an interested buyer, I could find no information on how validation of a user’s credentials is conducted. I’m not alone in this observation on a lack of openly stated restrictions. A Motherboard investigation reached the same conclusions.
“Cellebrite’s End User License Agreement (EULA) makes no mention of respecting human rights. It also does not state that Cellebrite’s tools shouldn’t be used against certain populations, such as journalists. Cellebrite declined a request for comment, and did not answer an emailed set of questions about the company’s vetting of customers, nor the absence of any human rights clauses from the EULA.”
The same investigation found that Cellebrite did, in fact, work with repressive regimes in Turkey, Russia, and the United Arab Emirates. How did Motherboard learn all this? Apparently, they were given 900GB of data hacked from a Cellebrite server. But that’s another story.
If the potential customer passes whatever validation exists, they will be told to send in the phone they want unlocked or they will be given the option to buy the company’s software. According to a Forbes article, the cost for a one-time phone unlock is as low as $1500. Cellebrite was reportedly behind the unlocking of the infamous iPhone found in possession of the San Bernardino terrorists, but my guess is that the FBI paid a little more for them to unlock this phone.
What stops Apple or other smartphone manufacturers from back-engineering the technology and then circumventing it with a system update? Nothing really, except for a clause in the user license saying that you shouldn’t do that. In an odd way, such update patches would be welcomed by Cellebrite. This is because they would then enter into a lucrative patch, subvert-patch death spiral. True, companies, like Apple, could pay Cellebrite bug bounties for any bugs it found in their operating systems and, thereby, avoid having their phones exposed and their reputations damaged, but this idea would not contribute much to Cellebrite’s own reputation and growth, as they would more or less get paid to keep quiet.
But we shouldn’t feel too sorry for Apple. Apple has long ago abandoned any pretense of being concerned about their clients’ privacy. The noble fight they engaged in over the unlocking of the San Bernardino terrorist phone has since been tarnished when they readily agreed to give up any information on any Chinese-based customer to the Chinese government. The final nail in the privacy coffin took place recently when Apple agreed to store all Chinese customer information on a government controlled server. After all, you can’t afford to lose access to so many customers, right?
Not everyone worries about security. The truth is that most people have only minimal protection enabled on their smartphones and simply hope they won’t get hacked. It’s a different matter, however, for people who have smartphones that are allowed to connect to a company’s or organization’s network. These phones are sought out by high level hackers to gain access to sensitive data in the enterprises they are connected to. Such phones must be secure and should not be phones that can be unlocked because this would expose the entire enterprise to serious risk.
Before the latest Cellebrite report, the iPhone X and Samsung 8 were considered to be among the most secure smartphones available. Now, if security is your main factor for buying a smartphone, the two best are considered to be the Blackphone 2 and the DTEK 60 by Blackberry (yes, Blackberry is still around.) Although at one time Cellebrite claimed to be able to unlock a Blackberry, nothing in their recent reports indicates that they can still do so.
But it may not be so much a security issue as an availability issue. There are just not enough of these secure phones being used by criminals for Cellebrite to worry about. In other words, the demand for unlocking them simply does not exist. Both makers are, in fact, on the verge of financial collapse. Cybersecurity experts at InZero Systems believe the Blackphone 2 can be compromised due to the fact that its security depends on software architecture. The BlackBerry DTEK60 must be only considered as ‘hack resistant’ as it is, after all, based on Android architecture.
No one considers phone security a priority until they get hacked. But if all phones can be unlocked, as Cellebrite claims, then, anything on your phone can and will be used against you in a court of law, if the law deems this necessary. And remember that access to your phone extends to access beyond your phone. Cellebrite, or others using their techniques, would have access to whatever websites your phone is connected to, such as your email, social media, cloud storage, and bank accounts. They can also control your contacts and your friends. It has come to the point where anyone who controls your smartphone can control your life.
Most people in a big city will not leave their keys in their car’s ignition. Most will lock their doors when they leave for the day. Yet, for some reason, these same people are mostly careless in the way they protect access to their phones, even though losing access to them could be far more devastating. It may be that people have become numb to cybersecurity threats. It may be that they feel manufacturers bear the brunt of responsibility for cyber protection. Maybe it’s just that the technological know-how necessary for good cybersecurity is beyond most people’s grasp. Now, it seems this may not matter. If Cellebrite is correct, no amount of cybersecurity will stand in the way of those who really want to get to the information stored on your phone. It will be interesting to see how smartphone manufacturers respond to this challenge.