Cell Phone Hacking Company Hacked; 900 GB Of Logins, Log Files, And Forensic Evidence Taken
from the let-he-who-is-without-security-breaches-throw-the-first-All-Writs-Order dept
Everything is compromised. In the latest case of a hacking company being hacked, Israel's Cellebrite is the latest to have its internal data hauled off by hackers. Joseph Cox of Motherboard was given inside details by the crew that claims to have spirited away login info and other data from the cell phone-cracking company.
Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite's products.
Included in the data haul are some other nifty surprises: evidence files from forensic searches of cell phones and logs from Cellebrite devices.
Cellebrite is a major supplier to US law enforcement, as well as to government agencies in countries with sketchier human rights records like Turkey, Russia, and the United Arab Emirates. In many ways, the company is similar to Italy's Hacking Team, which found itself hacked and its emailed dirty laundry aired by enterprising hackers unimpressed by the company's malleable morality.
What's truly interesting about this hack (and those similar to it) is that they go right to the heart of what's wrong with the DOJ's insistence that any "one-time" phone crack -- like the one they pursued in the San Bernardino mass shooting case -- would be safe as houses in the government's hands.
Riana Pfefferkorn -- who helped write an amicus brief on Apple's behalf (along with several other security researchers and professors) -- pointed out on Twitter that Cellebrite's hacking is exactly the sort of risk the government refused to seriously contemplate during its pursuit of an All Writs Order forcing Apple to open up the phone for the FBI.
If such a hack were created by Apple in response to a court order, there's no way for the FBI, Apple, or anyone else to plausibly claim it would be kept out of the hands of malicious actors. Companies in the business of breaking into devices aren't impervious to outside attacks. Neither is the US government, which has proven consistently weak when it comes to securing the massive amount of personally-identifiable information it collects from US citizens.
So far, the collected files haven't been shown to anyone but a few journalists, but Cox points out unauthorized access to Cellebrite isn't exactly a new thing.
Access to Cellebrite's systems has been traded among a select few in IRC chat rooms, according to the hacker.
“To be honest, had it not been for the recent stance taken by Western governments no one would have known but us,” the hacker told Motherboard. The hacker expressed disdain for recent changes in surveillance legislation.
Cellebrite's response to the hack is to claim that the only thing affected was a legacy server for end user licenses. Customers are being encouraged to change their passwords, but that comes a little too late to do much good. That license server may be the only thing breached through unauthorized means, but the log files and obtained evidence the hackers appear to have could easily have been taken out of the front end with compromised credentials.
The underlying fact is this: breaking protections like encryption or purchasing exploits to defeat it is something the FBI and other law enforcement entities will continue to advocate for, even while aware that it's impossible to claim definitively that the tools used won't be hijacked by someone else with more malicious motives. The Shadow Brokers' heist of NSA exploits shows that even if the government takes steps to protect what it has stored on its own servers, it can't prevent a disgruntled analyst from leaving a blackhat toolbag behind for others to find once a surveillance job is finished.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, hacking, phones
Companies: cellebrite
Reader Comments
Subscribe: RSS
View by: Time | Thread
Govt - It won't happen, trust us!
Sane person - It has already happened before [pointing at factual events].
Govt - No worries dear citizen, it was an anomnaly and won't happen again!
Sane person - That's what you said last time.
Govt - But this time we are absolutely positively sure it won't happen!
Sane person - Erm.. It seems it already happened [points at leaks].
Govt - CUUUUUUURSE YOU MASNICK!!!!
(This last part is fictitious and was added as an artistic touch pretending the Govt employee in the conversation is our beloved and absent troll)
[ link to this | view in thread ]
Keeping evidence
[ link to this | view in thread ]
Taking care of number one.
The FBI cares about the FBI first. The rest of the nation is a distant second.
[ link to this | view in thread ]
rest of the nation is a distant second
i don't for one second think we are second.
[ link to this | view in thread ]
Re:
Govt - Why are you talking about this? It's old news.
(Usually a few weeks after vehemently denying it ever happened at all.)
[ link to this | view in thread ]
Modified veraion
[ link to this | view in thread ]
Re: Modified veraion
The founding fathers were clear. Every nation is naturally turn to tyranny, it is the citizens job to stop it. Not that the "hey, its not out fault" visitors to TD would ever agree.
They like most other people prefer (as the Declaration of Independence states)...
"Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed."
Every time something happens, some fool clamors to the Government "why didnt you protect us?" and the government puts in a new law to remove liberty while still failing to protect, repeat ad nausea.
The same as all of the "we need regulation" idiots that abound in this place. Constantly blaming a free market, that does not exist, for problems caused by typical human greed and corruption.
Every Nation gets the government it deserves!
A simple truth that pisses off those in denial to no end.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Modified veraion
[ link to this | view in thread ]
Re: Keeping evidence
[ link to this | view in thread ]
[ link to this | view in thread ]
Schadenfreude
Yet I find myself LMAO!
(And I thought that Cellebrite was something they sold on late night TV to clean dentures.)
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Taken?
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Modified veraion
[ link to this | view in thread ]
Re: Re: Modified veraion
I see. So, let's take one of many, many examples from history: Poland. When the Nazis invaded Poland and took over the government it was because the Poles deserved it. They had it coming to them. Yeah, I see how that works. I wonder why they leave that part out of the history books. But wait, I bet it's in your own personal history book. Am I right?
[ link to this | view in thread ]
Re: Re: Re: Re:
Hey, I've seen a lot of casinos.
This is the best, classiest casino you're ever going to see.
Everyone who's ever come near one of my Trump casinos has said that they loved it.
This casino will restore dignity and respect to the political process.
Trust me, I know my casinos.
And if some people don't want the casino, then we'll make it even bigger.
And we'll make them pay for it.
Trust me, I know what I'm talking about. Classy beautiful stuff.
And I'll build a clown circus wing on to the white house.
I can use it to give speeches from the center ring. People will just love it.
It will be a historical addition unlike anything the founders could have imagined.
Trust me.
[ link to this | view in thread ]
Re: Re: Re: Modified veraion
Yet: corporations are people too!
So why wouldn't personal responsibility == corporate responsibility?
[ link to this | view in thread ]
Re: Taken?
[ link to this | view in thread ]
Cellebrite dellenda est!
[ link to this | view in thread ]
Re: Re: Re: Modified veraion
That old divide 'n' conquer strategy has proved very effective and it's costing us dearly. We need to be more willing to take the time to educate our friends and neighbours on the issues whether we agree with their general stances or not. We might not get them on side all of the time on everything but we might be able to get them onside on enough of the issues some of the time to make a real difference.
[ link to this | view in thread ]
easy to hack
[ link to this | view in thread ]