Cellebrite is proud to introduce #UFED Premium! An exclusive solution for law enforcement to unlock and extract data from all iOS and high-end Android devices. To learn more, click here: https://t.co/WHsaDxzoXz pic.twitter.com/BSixEkyAuL
— Cellebrite (@Cellebrite) June 14, 2019
Cellebrite claims their methods are only available to law enforcement agencies, but the exploit, like all others, will likely leak. While Cellebrite profits off of their “gray hat” hacking, smartphone users around the world could be in danger. This makes users a greater target for theft, hacking, extortion, and could put people in trouble with their governments.
UFED Premium
Interestingly, for the Samsung/Android device, Cellebrite claims they can do a “physical” file system extraction, whatever that is. It also states that they can “bypass or determine locks,” which makes it sound as though they’ve completely cracked Samsung’s security. Cellebrite also claims they can recover deleted information from the device.
For the iPhone, it seems as though their unlock still comes down to guessing passcodes. However, their method now includes “sophisticated algorithms to minimize unlock attempts.” This doesn’t sound promising (for them). It’s possible that their iPhone unlocking is nothing more than guessing numbers. Of course, with a person’s personal information, such as their date of birth, loved ones’s birthdays, or social security number and a variety of commonly used passcodes like 0000, 1111, 1234, and 5683 (love),it could still be effective. However, they may have other methods at their disposal that make these standard password extraction techniques more reliable.
Why Should We Worry?
There’s a reason our constitution protects us from unwarranted search and seizure. We need those protections to keep us safe and our private lives private. Yes, sometimes this helps criminals. But it protects law abiding citizens far more frequently than criminals, and we outnumber criminals by a wide margin.
However, we’ve already seen that law enforcement oversight is dreadfully inefficient. Police get away with crimes a citizen could never dream of. Those crimes are often abusive, including rape of inmates, stealing private photos from their phones, and more. If police have tools on hand that can unlock devices without the need for a warrant, nothing they do can be trusted.
In some countries, your government will be even less reliable. You could live somewhere where your religion, heritage, sexuality, or gender identity could put you behind bars or worse. The only thing protecting your secret will be your phone. But if a Russian or Saudi Arabian official wants your private information to figure out whether or not you’re gay, you’re going to pray they don’t have Cellebrite’s tools.
And these are just the “legitimate” uses of Cellebrite’s services. What about the illegal ones? You can already buy a number of Cellebrite’s tools online. The market is flooded with their tech, and their UFED Premium tool will be no different. Thieves can unlock phones with all the same tools as law enforcement. That’s why “gray hat” hacking is just as unethical as “black hat” hacking. Both create victims. “Gray hat” hackers like Cellebrite just profit off of the secondhand sales of their products who use them to steal, rather than actual theft. But the distinction is a small one.
What You Can Do
For Android users, first and foremost, turn off any biometric security. Face scanning, retina scanning, all of it. Just turn it off. Android is not very secure when it comes to these unlocking methods. Samsung’s face unlock, for example, can be fooled by a photo of you. Follow the same advice I gave for the iPhone, or, preferably, come up with a unique swipe pattern. Use one that crosses over the same point more than once, making it trickier for anyone to determine the pattern from your finger grease on the screen. Memorize it, write it down if you must, but destroy any physical copies after you’ve got it memorized. I’m not sure this would be enough for Android devices though. Cellebrite’s claims are far more extreme with Android than iOS.
No matter what OS you’re using, take steps to protect yourself. You never know when someone will try to pry into your device for your secrets, bank accounts, or to extort money from you. You could also be the victim of a fraudulent police or government investigation. Protect yourself with good security practices, and you’ll improve your chances.
Sources:
- Cellebrite
- Andy Greenberg, Wired
- Chance Miller, 9to5Mac