When Hackers Get Hacked: Stolen Cellebrite Data Reveals Firm Sold Tech to Repressive Regimes

Author Photo
Jan 12, 2017
14Shares
Share Tweet Submit

Hackers have hacked the popular phone hacking company Cellebrite, stealing data on customer information, user databases, and a massive amount of technical data regarding the company’s several products. Motherboard has received 900 GB of this stolen Cellebrite data, revealing some not-so-happy facts.

Cellebrite may have sold phone hacking tech to repressive regimes

Cellebrite is an Israeli firm popular for lending a helping hand to law enforcement agencies in cracking open encrypted products. Universal Forensic Extraction Device (UFED is one of the most popular forensic tools, also known as Cellebrite’s hacking kit, which can circumvent passcodes and extract SMS messages, call logs, internet browsing history, along with deleted data in some cases. This powerful tool can extract data from a vast number (read: thousands) of different mobile phones.

Related Cloudflare Has Been Bleeding User Data from 3,400 Websites for Months – Uber, OkCupid Among Affected

According to reports, in the US alone, law enforcement agencies have invested millions of dollars on this tech. “Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company [Cellebrite] in particular has cornered the trade in mobile phone forensics equipment across the United States,” Motherboard had reported.

But, it turns out that it’s not just the US law enforcement agencies that Cellebrite has been helping as the data reveals that company may have sold its tools to authoritarian regimes to prosecute dissidents. These include the United Arab Emirates, Russia, Turkey, and Bahrain, which is among the worst human rights offenders in the world.

Cellebrite “enjoys a reputation as a silver bullet in 21st-century policing whose products are used only to beat terrorists and find abducted kids,” the Intercept said in an earlier report. “Like any good, vaguely sinister corporate spy outfitter, the company has never publicly confirmed which governments are among its customers, and deflects questions about whether it would sell its infamously powerful software to a repressive, rights-violating regime.”

But, the leaked data obtained by Motherboard along with the information cited by the Intercept and several other sources yet again confirm that the company may not be the 21st century’s knight in shining armor that it touts itself to be.

Related North Korean Hackers Planted False Flags to Attribute Bank Attacks to Russia

Forensics company confirms the hack

Along with other data, the stolen data also includes usernames and passwords for logging into Cellebrite databases that are connected to the company’s my.cellebrite domain. This is used by Cellebrite’s customers to access new software versions, among other things. While the hacker hasn’t dumped the content in the wild, Motherboard has verified the email addresses in the cache.

The stolen data also included customer support tickets, where clients asked the company for assistance on technical issues. These tickets revealed messages from the UAE’s Ministry of Interior, a ticket from a Russian Federation prosecutor’s office, and another from the Bahraini Ministry of Interior police force. While any country could use Cellebrite’s products for legitimate uses, the company has never commented on how it screens these requests.

Cellebrite has now admitted to the breach and has advised its users to change their passwords.

Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system. The company had previously migrated to a new user accounts system. Presently, it is known that the information accessed includes basic contact information of users registered for alerts or notifications on Cellebrite products and hashed passwords for users who have not yet migrated to the new system.

Share Tweet Submit