Skip to content
Naked Security Naked Security

For sale: iPhone hacking tool, one previous (not very careful) owner

At $100, the old-gen iPhone encryption-cracking tools are a bargain to hackers looking to pick up leftover forensics or police Wi-Fi data.

Cellebrite phone-cracking devices, beloved by law enforcement, are available at bargain-basement prices on eBay, so you can get a gander at all the devices that the police have presumably been able to squeeze for data.

Here’s a second-hand Cellebrite UFED device showing off its capabilities, courtesy of security researcher Matthew Hickey:

Hickey is cofounder of training academy Hacker House. He recently told Forbes that he’d picked up a dozen Cellebrite UFED devices for dirt cheap and probed them for data, which he found… in spades.

What surprised Hickey was that nobody bothered to wipe these things before dumping them onto eBay, he told Forbes:

You’d think a forensics device used by law enforcement would be wiped before resale. The sheer volume of these units appearing online is indicative that some may not be renewing Cellebrite and disposing of the units elsewhere.

Yes, you would think that a very expensive forensics device such as Cellebrite’s UFED – reportedly, brand-new models start at $6,000 – that’s used by law enforcement to crack the encryption on (older) iPhone models, as well as on phones from Samsung, LG, ZTE and Motorola, would be wiped before resale… on eBay, for prices starting at $100.

Forbes reports that these valuable devices, for which US federal agencies including the FBI and Immigration and Customs Enforcement (ICE) have been paying millions of dollars, can be found, used, on sale for between $100 and $1,000 a unit.

Some Cellebrite history

Cellebrite got a lot of attention during the FBI vs. Apple encryption battle, which got particularly loud after the San Bernardino terrorist attacks. We never found out for sure what tool the FBI used to break into the terrorist’s iPhone, though it was reported that Cellebrite offered to do the cracking.

An FBI source subsequently denied that the bureau used Cellebrite to get into the iPhone. A court decision in October 2017 ensured that the FBI’s secret iPhone hacking tool would stay under wraps.

Regardless of Cellebrite’s role or lack thereof in the San Bernardino iPhone cracking case, its forensics devices have been used to break into a whole lot of mobile phones.

What’s on these bargain-bin babies?

When Hickey probed the UFED devices for data earlier this month, he discovered that they contained information on what devices they’d been used to search, when they were searched, and what kinds of data they got at. Forbes reports that mobile identifier numbers, like the IMEI code, were also retrievable.

Hickey says he also found what looked like Wi-Fi passwords left behind on the UFEDs. They could have been those of the police agencies that used the devices, or perhaps they were those of independent investigators or business auditors, Forbes suggested.

There could be other, far more valuable data on the devices. Hickey hasn’t had success at extracting any of the software vulnerabilities that Cellebrite uses to slip past Apple and Google’s protections… yet. The encrypted keys to do so should be extractable, though.

Why are the UFEDs available now?

That’s an easy one: they’re available now because there are new models out, with updated software. As of a year ago, Cellebrite could reportedly crack every iPhone up to the then-latest version of iOS, 11.2.6.

”Fairly poor” security on the units

Hickey managed to get the residual data left on the older model UFEDs by retrieving admin account passwords for the devices and taking them over: something he could do because their security was “fairly poor,” he said. He also found it simple to crack the devices’ license controls by relying on guides he found on online Turkish forums.

A hacker with chops could get up to plenty of no-good that way. From Forbes:

A skilled hacker could unleash the device to break into iPhones or other smartphones using the same information, [Hickey] said. A malicious attacker could also modify a unit to falsify evidence or even reverse the forensics process and create a phone capable of hacking the Cellebrite tech, Hickey warned.

Cellebrite is not amused

Sources from the forensics industry showed Forbes a letter from Cellebrite in which it warned customers about reselling its hacking devices, given that they can be used to access individuals’ private data.

The UFEDs should be returned to Cellebrite so they can be properly decommissioned, but it’s looking like police, and/or others who’ve possessed the devices, are putting them up for sale to anybody and everybody, regardless of the fact that they haven’t been wiped clean of the sensitive data they contain.

Forbes reports that cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result of the unwiped gadgets being put up on the auction block.

But as far as Hickey is concerned, his second-hand Cellebrite kit has a higher calling in store: he’s planning to rig them up to run the shooter classic Doom:

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!