The Cellebrite Universal Forensic Extraction Device (UFED) is a high-end tool used by law enforcement to crack mobile phones. A new unit will run you about $6,000. But as reported by Thomas Brewster at Forbes, the hacking community has discovered that with a newer model now going on sale, older Cellebrite UFEDs are hitting the secondhand market for cheap, sometimes for as little as $100, meaning that anyone — including you! — could pick one up and crack open a smartphone even if you don’t have the password or biometric data to unlock it.
Cellebrite gained notice last year after it claimed to be able to crack open iPhones for cheap, a task that once cost the FBI $900,000. It’s also notable for its refusal to divulge the exploits it uses to bypass passwords: typically, those who find an exploit in a phone’s software or hardware let the company know about the weakness. Cellebrite, however, sees not doing so as giving it a competitive advantage.
As you can see in the video from Hacker Fantastic below, using a UFED doesn’t require a high level of technical sophistication — part of Cellebrite’s pitch is that it can “equip frontline personnel with intuitive, forensically sound tools to quickly extract and analyze digital evidence,” which means you don’t need to force someone to learn command-line language.
Cellebrite earned million in sales from federal government agencies shortly after Trump’s travel ban went into effect, presumably so those agencies could crack smartphones when someone reentering the country refused to give up their password. But those sales were in 2017, and tech marches ever forward. Forbes found a note from Cellebrite pleading with customers to please return their units rather then resell them, but it doesn’t seem to be stopping the flood of phone-hacking tools now out in the wild.
Even worse, the Cellebrite UFEDs themselves aren’t very secure; Forbes spoke to Matthew Hickey, a cybersecurity researcher and co-founder of Hacker House, who got his hands on a Cellebrite UFED and found that the device hadn’t been wiped clean before being put back on the market:
He discovered that the secondhand kit contained information on what devices were searched, when they were searched and what kinds of data were removed. Mobile identifier numbers like the IMEI code were also retrievable.
Hickey believes he could have extracted more personal information, such as contact lists or chats, though he decided not to delve into such data. “I would feel a little awful if there was a picture of a crime scene or something,” he said. But using the information within a UFED, Hickey believes a malicious hacker could identify the suspects and their relevant cases.
Hickey was also able to find the device’s admin password relatively quickly, and believes that a skilled hacker who had the time and inclination could use the UFED to crack into someone else’s smartphone. It should be noted that in order to used the Cellebrite UFED you need to be in physical possession of someone’s phone, but it’s still enough to make you uneasy that someone could buy one of these devices for less than the price of a used PS4.