Cellebrite UFED, an iPhone hacking tool made in Israel and widely used by the law enforcement authorities including the Federal Bureau of Investigation, Customs Enforcement and Immigration departments is surprisingly up for sale on eBay.
This tool is mainly used for hacking or breaking open modern mobile phones such as iPhones and Androids for the sole purpose of obtaining data. The law enforcement authorities primarily use Cellebrite to extract data from Google smartphones and Apple devices. It is the same iPhone hacking tool that the FBI used to break open the iPhone 5C of Syed Rizwan Farook, the infamous San Bernardino shooter.
According to Forbes, second hand Cellebrite is being sold on eBay between $100 to $1000. It is worth noting that Cellebrite sells new tools for $6,000. Understandably, Cellebrite, a forensic data firm responsible for making Cellebrite UFED, isn’t happy about it and has warned customers about reselling such sensitive hacking devices because if landed into wrong hands, these can be exploited to access someone’s private information. Cellebrite also requested users to return the UFEDs to the company so that these could be decommissioned appropriately.
Cellebrite has issued a warning to customers about the risk of reselling its devices.
I spoke to a guy who found one at a real-world auction and resold on eBay. He didn't know he had police iPhone/Android hacking tech, put it in his garage to gather dust for 8 months.
— Thomas Brewster (@iblametom) February 27, 2019
Security researcher Matthew Hickey (Hacker Fantastic on Twitter) bought several Cellebrite UFED devices and identified that there was indeed valuable data stored on the devices including IMEI numbers that can be used to locate a mobile phone easily. Moreover, Hickey believes that the devices might also reveal chat and contact lists but he didn’t attempt to dig any deeper.
Cellebrite UFED classic exploits & functions – I got this gem at an auction – has SIM card cloning features (elite) pic.twitter.com/xmLCgVO7iG
— Hacker Fantastic (@hackerfantastic) February 11, 2019
Another grave issue of concern is that the second hand Cellebrite UFEDs can also leak information about vulnerabilities that many devices like Apple iPhones contain. In March 2018, Forbes reported that Celebrite can identify iOS flaws and can crack passwords of the newest Apple models including the iPhone X and the company deliberately keeps these flaws a secret so that Apple couldn’t fix it. This way, Cellebrite helps law enforcement in retrieving data from mobile phones.
Hickey claims that the units are poorly secured as he could easily identify the admin account passwords of the units and could control them while accessing their license controls was also an easy feat to accomplish. All that he needed to do is check out for online guidelines on Turkish forums.
If Hickey could do this, imagine what a skilled hacker could be capable of. A smart hacker can easily hack iPhones using the information or modify the unit to alter evidence or fully reverse the forensic process in order to make the device capable of hacking the technology that Cellebrite is most sought-after for.