If the police get hold of a smartphone and they have a warrant to search it, they’ll often turn to a tool from Israeli company Cellebrite that can hack into it and download the data within. But on Friday a security researcher is releasing an app that he says can detect when a Cellebrite is about to raid the device, turn the phone off and wipe it.
“My goal is not to arm criminals. It’s more to educate the general public and make it aware that we need policy changes to address these issues,” Bergin added. “I hope we see changes in policy that require the types of testing that I do.”
It could prove to be a controversial release, given that criminals could use it to erase evidence. But Matt Bergin, the researcher at security company KoreLogic who created the tool, says Cellebrite could easily update its phone-hacking tech to stop his app—dubbed LockUp—from working. And he hopes his work, which also included finding now-patched security weaknesses in the Cellebrite, will bring to light the need for more tests on police forensics tools to ensure they’re secure and able to detect evidence tampering.
Bergin was able to carry out his research on a two-year-old Cellebrite Universal Forensic Extraction Device (UFED) acquired from eBay, a place where the tech, supposedly only to be used by police, has been spotted on sale before. He found a handful of security issues. First, he found a problem with the way in which Cellebrite handled its encryption keys. One of those keys—an authentication key—was supposed to guarantee that the Cellebrite device was the only one to carry out a forensic search on a phone, but they were the same for every unique Cellebrite system. “The problem with that is now, when evidence collected by the UFED is being introduced in the courts, you can’t really say that it was the Cellebrite itself that did the collecting of the content,” Bergin explained. He also found keys that let him pull all the code used to exploit vulnerabilities in Android, all of which appeared to have been fixed on Google’s operating system.
The code release, on Github, could interest Cellebrite’s global customers, which include many of the U.S.’ federal government and local police agencies, including Immigration Customs Enforcement (ICE), the FBI, the NYPD and Europol.
As for how LockUp works, it looks for a Cellebrite application called Mr. Meseeks, named after a character in animated TV comedy Rick & Morty, which is downloaded on an Android phone when the forensics tech is about to search a device. LockUp looks at the certificate for each new app installed on a device and if it matches the one for Mr. Meseeks, it’ll factory-reset the phone. Though his test Cellebrite system was two years old, Bergin thinks that LockUp will still work as he believes modern versions still use Mr. Meseeks. He’s releasing LockUp on Friday during a talk at BlackHat Asia.
Cellebrite fixed the encryption issues highlighted by Bergin in 2020. A company spokesperson added: “The demonstrated proof-of-concept application is not considered a vulnerability by KoreLogic or Cellebrite. It is a shared scenario for any forensic software performing app-based extractions. Customers should be assured that information garnered from Cellebrite solutions is forensically sound.”
Regarding the ability for people to purchase its devices on eBay and other secondhand markets, Cellebrite said, “Under no circumstances may a customer resell, redistribute, transfer or sublicense Cellebrite’s technology to any third party without expressed written permission from Cellebrite . . . keep in mind that on the rare occasion when someone is able to obtain a device on a secondary market, the software is outdated and not able to receive updates.”
The release of LockUp comes just a week after Moxie Marlinspike, founder of the encrypted messaging app Signal, looked into the security of a Cellebrite device and claimed to be able to hack a Cellebrite by including malicious code in an app searched by the forensic tool. The LockUp app may appeal to those who wouldn’t consider themselves criminal, but could be under surveillance from their government. Cellebrite devices have allegedly been spotted in use on journalists in countries with poor records on human rights. On Wednesday, the Committee for the Protection of Journalists reported that Oratile Dikologang, digital editor and cofounder of the Botswana People’s Daily News website, had his phone searched with a Cellebrite device. Dikologang was accused of writing “offensive” posts on Facebook and during interrogation gave over his password. A Cellebrite and the Forensic Toolkit from U.S.-based AccessData were then used to grab all the data inside.
In response to the CPJ’s reporting, AccessData didn’t respond to multiple requests from the publication, while a Cellebrite spokesperson said: “We have multiple checks and balances to ensure our technology is used as intended. We require that agencies and governments that use our technology uphold the standards of international human rights law. . . . When our technology is used in a manner that does not meet international law or does not comply with Cellebrite’s values, we take swift and appropriate action, including terminating agreements.”
- If the cops try to hack your phone, this app will clean your phone
- Check all news and articles from the latest Security news updates.