The mobile forensics trade is booming. As smartphones have proliferated into every corner of our lives, many state law enforcement agencies in the US have bought devices for extracting phone passcodes and siphoning off data too, as an investigation found.
But it appears you don't necessarily have to be a cop or a forensics contractor to buy phone cracking tech. Several different types of devices are available via online marketplaces and stores, and some sellers seemingly don't check who they are selling the items to either.
To approach one eBay seller, experts created an email address suggesting we were a worker at a forensics shop. On the site, one vendor who sells firewalls and other pieces of hardware is offering potential customers a wad of Cellebrite's Universal Extraction Forensics Devices, or UFEDs. These devices allow users to extract data, such as contact lists, emails, and text messages, from cellphones when they have physical access to the phone. Specifically, the vendor is selling the “ruggedized” version of the UFED, typically used by law enforcement while out in the field.
When asked if each device came with the appropriate software, the vendor said it was “available online, you can download it.” Another vendor on eBay is selling Cellebrite's UFED CHINEX add-on for $2,500. CHINEX is specifically for pulling data and passwords from phones manufactured with Chinese chipsets.
Cellebrite is an Israeli company that dominates the market in granting law enforcement agencies access to locked mobile phones. Many websites that sell Cellebrite products require the customer to register and then request a quote or enter a password-protected section of the store to view actual prices and make an order.
But on the site for a Polish company that specialises in tools for detectives, visitors can buy a UFED Touch Ultimate for just over £11,000 ($13,700). This version of the UFED can circumvent password protections on Android devices, including the Samsung Galaxy S family, according to a Cellebrite brochure. It also can carry out physical extraction of data—ultimately, recovering deleted files—from the phone.
When experts added the item to a cart, the website allowed this reporter to progress through the entire process—giving a shipping address, creating a customer account—without ever having to prove or suggest whether we were a forensics contractor or law enforcement officer at all. The terms and conditions of the site make no mention whatsoever of any type of person they will not sell products to.
The site also sells licenses for Cellebrite products, meaning users will receive the latest updates and have access to technical support. Researchers showed these examples to a Cellebrite spokesperson, who said in a statement: “Cellebrite explicitly prohibits resale of UFED products in all end user license agreements.”
These are powerful devices, capable of hoovering up vast quantities of sensitive data from mobile phones. According to law enforcement, they are absolutely essential to capturing and preserving forensics evidence in criminal prosecutions. But Cellebrite devices have also been misused.
Cellebrite technology was used to dig up dirt on a political activist. The information obtained from the dissident's mobile phone was then used to prosecute him. When pretty much anyone can apparently buy these devices, the opportunity for abuse grows dramatically. A jealous boyfriend, a paranoid employer, or financially driven criminals could all make effective use of the technologies on offer.