Cellebrite’s Smartphone Unlocking Tools Found on Secondhand Market, Some with User Data forbes.com

Thomas Brewster, Forbes (and, yes, I feel terrible exposing you to the Forbes website):

Cellebrite isn’t happy about those secondhand sales. On Tuesday, two sources from the forensics industry passed Forbes a letter from Cellebrite warning customers about reselling its hugely popular hacking devices because they could be used to access individuals’ private data. Rather than return the UFEDs to Cellebrite so they can be properly decommissioned, it appears police or other individuals who’ve acquired the machines are flogging them and failing to properly wipe them. Cybersecurity researchers are now warning that valuable case data and powerful police hacking tools could have leaked as a result.

Earlier this month, Matthew Hickey, a cybersecurity researcher and cofounder of training academy Hacker House, bought a dozen UFED devices and probed them for data. He discovered that the secondhand kit contained information on what devices were searched, when they were searched and what kinds of data were removed. Mobile identifier numbers like the IMEI code were also retrievable.

Hickey believes he could have extracted more personal information, such as contact lists or chats, though he decided not to delve into such data. “I would feel a little awful if there was a picture of a crime scene or something,” he said. But using the information within a UFED, Hickey believes a malicious hacker could identify the suspects and their relevant cases.

Remember when Apple refused to build a special version of iOS for the FBI to take as many cracks at user passcodes as they’d like, so they could bypass user encryption, on the grounds that it wouldn’t just be that one phone, and they couldn’t guarantee the security of that special version of iOS? Seems prescient, doesn’t it? Apple has also been taking heat for defending end-to-end encryption in the U.K. and Australia, where a law was recently passed that would require companies to provide unspecified support to law enforcement for accessing encrypted data.

Attempts to undermine encryption are attempts to make all personal technology users less secure. While it can make law enforcement’s job harder in some investigations, it would be foolish to universally compromise security.