The Cellebrite Universal Forensic Extraction Device (UFED) – used by local law enforcement agencies, the FBI, and Homeland Security to unlock iPhones and other device used in criminal and terrorist activities – are being offered on eBay for as little as $100.
When eBay merchant Mr. Balaj was looking through a pile of hi-fi junk at an auction in the U.K., he came across an odd-looking device. Easily mistaken for a child’s tablet, it had the word “Cellebrite” written on it. To Mr. Balaj, it appeared to be a worthless piece of electronic flotsam, so he left it in his garage to gather dust for eight months.
However, Mr. Balaj recently learned what he had his hands on, the Israeli-made Cellebrite UFED, used around the globe by law enforcement to gain access to information stored on iPhones and Android devices. While agencies have been paying millions of dollars to Cellebrite for the devices, Mr. Balaj and others on eBay are now selling Cellebrite systems for between $100 and $1,000 a unit. (New units start at $6,000.)
Cellebrite isn’t pleased to learn about the sales of the used units, and has sent a letter to its customers warning them about selling the devices, as they could be used to access individuals’ private data. (Which has been a concern for many of us since these cracking devices first appeared on the scene.) Cellebrite terms of sale do not permit resale. Units are required to be returned to the company to be decommissioned.
Instead of returning the UFEDs to Cellebrite to be properly wiped and decommissioned, police are selling them, and in many cases not wiping the information before putting them up for sale. Not wiping equals phone data still on the UFEDs.
Earlier this month, Matthew Hickey, a cybersecurity researcher and cofounder of training academy Hacker House, bought a dozen UFED devices and probed them for data. He discovered that the secondhand kit contained information on what devices were searched, when they were searched and what kinds of data were removed. Mobile identifier numbers like the IMEI code were also retrievable.
Hickey believe he could have extracted more information, but decided not to dig deeper. “I would feel a little awful if there was a picture of a crime scene or something,” he said. Hickey says he believes a malicious party could identify the suspects and their relevant cases.
It is likely that the Cellebrite devices are being sold as they are becoming quickly outdated and no longer work on phones running recent versions of iOS. Hacking tools like those offered by Cellebrite rely on exploiting zero-day vulnerabilities, which are patched as soon as Apple and Google learn of them.