Cellebrite and other iPhone hacking tools purchased by U.S. public schools

Posted:
in General Discussion
U.S. public schools are acquiring forensic tools meant for police and military use to hack into student and faculty iPhones across the U.S.

Cellebrite can be used to hack into student's iPhones depending on security settings
Cellebrite can be used to hack into student's iPhones depending on security settings


Apple places privacy and security above all else when designing the iPhone, yet government facilities and institutions like the FBI continue to seek backdoors for "the greater good." Despite pressure from the United States and Australian governments, among others, Apple has not broken its encryption or created a back door.

Companies like Cellebrite seek to profit from this dilemma by finding new vulnerabilities and hacks to bypass iPhone security. They package these vulnerabilities into devices called "mobile device forensic tools" or MDFTs and sell them for a big profit, mostly to law enforcement and other governmental agencies.

While police and the FBI have been known to deal with Cellebrite and other companies, the desire to break into iPhones is spreading. A report from Gizmodo says that several public school districts have begun purchasing the tools to use on students and faculty.

Cellebrite made headlines after the 2016 San Bernardino shooting when it was discovered that the FBI had purchased at least $2 million worth of Cellebrite products since 2012. Multiple police stations around the U.S. are also on record for possessing the forensic units in order to break into criminal's smartphones.

The school systems investigated have spent thousands on different forensic tools. Given existing precedent on student rights on a school's grounds, in most states, as long as the faculty have reasonable suspicion that a student is performing illegal activities they can search a student's phone. It is unknown if parents are being made aware of the capability in districts that possess the devices.

Apple continues to up its security standards with each new iPhone released
Apple continues to up its security standards with each new iPhone released


One such case in 2016 says a student granted the school access to their phone for a search. The phone was plugged into a Cellebrite machine and investigators were able to discover deleted text messages between the student and teacher, which lead to an arrest.

While cases like these occur, giving public schools unilateral access to forensic tools without oversight could lead to the invasion of hundreds of thousands of students privacy for the sake of "security." Due to laws surrounding the public school system students are not necessarily protected by the fourth amendment, and can be subject to search and seizure without due process.

"Cellebrites and Stingrays started out in the provenance of the U.S. military or federal law enforcement, and then made their way into state and local law enforcement, and also eventually make their way into the hands of criminals or petty tyrants like school administrators," says Cooper Quentin, senior staff technologist at the Electronic Frontier Foundation. "This is the inevitable trajectory of any sort of surveillance technology or any sort of weapon."

Concerns have been raised over this new development, surrounding school discipline, and approved staff who can use the device, and for what reasons. The lack of oversight on these phone penetration tools can prove to be serious attacks on student privacy and welfare.

Cellebrite and other forensic tools are only as good as the exploit they use to break into a device. With the proper device security, users can make it very difficult for such tools to work. Measures that smartphone users can take to lengthen the penetration process include use of an alphanumeric passcode, users disabling biometrics before handing over a phone, and enabling the ability for the phone to reset itself after 10 failed access attempts.
«1

Comments

  • Reply 1 of 38
    BeatsBeats Posts: 2,913member
    When the principal has access to your iPhone, privacy becomes a bigger problem.

    Is Apple not allowed to sue Cellebrite and shut them down? How is this different from intentionally intruding a business'/institution's privacy? How is it different from selling tools that allow you to open specific banks vault or an interceptor that can change prices at Wal-Mart registers?
    Oferspock1234viclauyyc
  • Reply 2 of 38
    lkrupplkrupp Posts: 9,989member
    A school district is NOT a law enforcement agency and therefore cannot confiscate and hack into a student’s or faculty member’s personal mobile device without permission. I can see a deluge of lawsuits coming for these school districts. How could a school official confiscate a faculty member’s personal device in the first place? This makes no sense whatsoever.
    OferDogpersonspock1234caladanianSpamSandwicholsbyronl
  • Reply 3 of 38

    Cellebrite and other forensic tools are only as good as the exploit they use to break into a device. With the proper device security, users can make it very difficult for such tools to work. Measures that smartphone users can take to lengthen the penetration process include... enabling the ability for the phone to reset itself after 10 failed access attempts.
    The thing that puzzles me: why is Apple's reset set to a max of 10 password tries by the user? After all, it would take many, many multiples -- even exponents -- of that for an automated password-cracking device to hack even an 'easy' password, no?
    caladanian
  • Reply 4 of 38
    Beats said:
    When the principal has access to your iPhone, privacy becomes a bigger problem.

    Is Apple not allowed to sue Cellebrite and shut them down? How is this different from intentionally intruding a business'/institution's privacy? How is it different from selling tools that allow you to open specific banks vault or an interceptor that can change prices at Wal-Mart registers?

    What Apple needs to do is reverse engineer these devices and close the holes they're using.

    Cops/schools/whoever should NOT be able to access an iPhone without the owner's permission under ANY circumstances.
    Oferspock1234Dogperson
  • Reply 5 of 38
    lkrupp said:
    A school district is NOT a law enforcement agency and therefore cannot confiscate and hack into a student’s or faculty member’s personal mobile device without permission. I can see a deluge of lawsuits coming for these school districts. How could a school official confiscate a faculty member’s personal device in the first place? This makes no sense whatsoever.
    You can't evaluate the lawfulness in this situation by lumping student and faculty rights together.  Student rights are far less protective than faculty rights.  In certain school districts, student lockers, cars, and possessions can be searched without consent if there is reasonable suspicion of illegal activity.  The reasonableness of that suspicion is determined by school authorities. However, proper warrants (based on evidence) or consent would be required for faculty.  Plus teachers got unions to put the kibosh on all that rights trampling.   The school can't confiscate a faculty member's personal device.  The school can confiscate a job supplied device like a phone or laptop.

    The case mentioned in this story:  the student gave consent, evidence was found implicating the teacher, and proper warrants were issued leading to an arrest.
    edited December 2020 baconstangmuthuk_vanalingam
  • Reply 6 of 38
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 
    rezwitsviclauyycols
  • Reply 7 of 38
    darkvader said:
    Beats said:
    When the principal has access to your iPhone, privacy becomes a bigger problem.

    Is Apple not allowed to sue Cellebrite and shut them down? How is this different from intentionally intruding a business'/institution's privacy? How is it different from selling tools that allow you to open specific banks vault or an interceptor that can change prices at Wal-Mart registers?

    What Apple needs to do is reverse engineer these devices and close the holes they're using.

    Cops/schools/whoever should NOT be able to access an iPhone without the owner's permission under ANY circumstances.

    So, the cops shouldn’t be able to break into even criminals phones? Only a criminal would think that’s a good idea 
  • Reply 8 of 38
    hexclockhexclock Posts: 1,039member
    mac_dog said:
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 
    Teachers make good money. Why the hell should my school taxes buy equipment like this?
    rezwits
  • Reply 9 of 38
    jimh2jimh2 Posts: 401member
    lkrupp said:
    A school district is NOT a law enforcement agency and therefore cannot confiscate and hack into a student’s or faculty member’s personal mobile device without permission. I can see a deluge of lawsuits coming for these school districts. How could a school official confiscate a faculty member’s personal device in the first place? This makes no sense whatsoever.
    I think the issue is that the student should not be able to grant permission for his/her phone to be searched. I am certain that things get scary with an adult pressuring a student to give up their phones passwords. Most students would not know they have a right to refuse and to call their parent. This is no different than when the police ask someone to come down to the station to answer some questions. They do not bother to tell the person they might be under investigation nor are they required to while asking questions about a crime. They have to read them their Miranda rights after they are arrested, but prior to that they can ask away.

    The advice when dealing with the police is to refuse to go anywhere to answer questions and furthermore do not answer any questions even if you think or know you are innocent. If they have enough evidence to arrest someone they will do it otherwise they have nothing to learn unless you tell them.

    The only reason to speak with the police is if you are reporting a crime.

    This whole thing reminds of road blocks set up on a highway that is one of only two ways into a resort area. The police were asking every driver if it was ok to search their car without telling them specifically that it was optional. Many let the police search and many were arrested. I am not on the side of criminals, but this type of police work normalize bad behavior by the police.
    sportyguy209baconstangbonobobGeorgeBMacols
  • Reply 10 of 38
    This makes no sense and is certainly an abuse of power. If it is happening it needs to stop.

    If it is a school owned device, they can remotely clear the passcode without these hacking tools. This only makes sense if they are forcing their way in to a student owned device.
    edited December 2020 spock1234baconstang
  • Reply 11 of 38
    "criminals or petty tyrants like school administrators"

    Now that sounds spot-on.
    viclauyycols
  • Reply 12 of 38
    p-dogp-dog Posts: 116member
    hexclock said:
    mac_dog said:
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 
    Teachers make good money. Why the hell should my school taxes buy equipment like this?
    Hexclock, that is absolute and total bull$#it! I have been teaching for 28 years with 2 degrees AND a state teacher of the year award from Florida (3rd most populous state in the union) and my take home pay after all this time is only $47k. Moreover, the state where I teach now has no unions or workplace protections and has had a ban on collective bargaining for ALL state employees for almost 60 years. That is a major reason why I only bring home $47k after almost 3 decades in the classroom and could be fired at any time based upon my district's whim. I've had enough of that right-wing, anti-public education claptrap to last a (financially meagre) lifetime.  :/
    edited December 2020 zeus423bageljoeybonobobrezwitsviclauyycurdamanolsbeachdog1
  • Reply 13 of 38
    p-dog said:
     I have been teaching for 28 years with 2 degrees AND a state teacher of the year award from Florida (3rd most populous state in the union) and my take home pay after all this time is only $47k. 
    With all due respect to the critical work you do, complaining that your take home pay is only $47k doesn’t really tell us much.  Telling us your GROSS pay would be more relevant. 

    But based on take home pay of $47k, your gross pay could be close to $100k – depending on how much is taken out, pre-tax, for retirement savings or other benefits accruing to you.  
  • Reply 14 of 38
    UniqueGuy said:
    p-dog said:
     I have been teaching for 28 years with 2 degrees AND a state teacher of the year award from Florida (3rd most populous state in the union) and my take home pay after all this time is only $47k. 
    With all due respect to the critical work you do, complaining that your take home pay is only $47k doesn’t really tell us much.  Telling us your GROSS pay would be more relevant. 

    But based on take home pay of $47k, your gross pay could be close to $100k – depending on how much is taken out, pre-tax, for retirement savings or other benefits accruing to you.  
    You are hopeless. 
    urdaman
  • Reply 15 of 38
    Beats said:
    When the principal has access to your iPhone, privacy becomes a bigger problem.

    Is Apple not allowed to sue Cellebrite and shut them down? How is this different from intentionally intruding a business'/institution's privacy? How is it different from selling tools that allow you to open specific banks vault or an interceptor that can change prices at Wal-Mart registers?
    If the principal has access to a student's phone then students have access to the principal's phone?
    .... That would make the whole issue blow away like dust in the wind.

    In truth, searching phones should be treated no differently than searching a person's house.   There is really no difference.  Both need to be based in law and the Constitution.

  • Reply 16 of 38
    mac_dog said:
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 

    Here in PA teachers are pulling in 6 figure salaries -- along with Cadillac health care and pension plans that are bankrupting local school districts.
    They have the most powerful union in the state.

    It started 30 or so years ago with teacher strikes shutting down entire school districts till they surrendered to the teacher's demands.   Now teachers have almost equal authority over a school district's decision making capabilities.   One example from my own district:   They brought in outside monitors to watch kids for a couple hours so they could stay in the school building after school hours while they waited for their working parents to pick them up.   The teacher's union shut it down demanding that the monitors be fired and instead teachers paid overtime to act as baby sitters.  It was a clear money grab by the teachers at tax payer expense by some very highly paid professionals.
  • Reply 17 of 38
    swat671 said:
    darkvader said:
    Beats said:
    When the principal has access to your iPhone, privacy becomes a bigger problem.

    Is Apple not allowed to sue Cellebrite and shut them down? How is this different from intentionally intruding a business'/institution's privacy? How is it different from selling tools that allow you to open specific banks vault or an interceptor that can change prices at Wal-Mart registers?

    What Apple needs to do is reverse engineer these devices and close the holes they're using.

    Cops/schools/whoever should NOT be able to access an iPhone without the owner's permission under ANY circumstances.

    So, the cops shouldn’t be able to break into even criminals phones? Only a criminal would think that’s a good idea 

    We have a thing called the Constitution.   It protects us from criminals standing on either side of the badge.
    plastico23just cruisinUniqueGuy
  • Reply 18 of 38
    hexclock said:
    mac_dog said:
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 
    Teachers make good money. Why the hell should my school taxes buy equipment like this?

    That largely depends on the state and school district.  Teacher salaries and benefits vary greatly -- from very generous to very stingy.
  • Reply 19 of 38
    p-dog said:
    hexclock said:
    mac_dog said:
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 
    Teachers make good money. Why the hell should my school taxes buy equipment like this?
    Hexclock, that is absolute and total bull$#it! I have been teaching for 28 years with 2 degrees AND a state teacher of the year award from Florida (3rd most populous state in the union) and my take home pay after all this time is only $47k. Moreover, the state where I teach now has no unions or workplace protections and has had a ban on collective bargaining for ALL state employees for almost 60 years. That is a major reason why I only bring home $47k after almost 3 decades in the classroom and could be fired at any time based upon my district's whim. I've had enough of that right-wing, anti-public education claptrap to last a (financially meagre) lifetime.  :/

    Instead of whining, why don't you move to Pennsylvania:   6 digit salaries and Cadillac health and pension plans.

    Very simply, you cannot generalize about teacher salaries and benefits because they vary widely between states and school districts.
    Some states have demolished unions and their protections for workers -- other states have let them run free and loose and they have gained too much power.
  • Reply 20 of 38
    hexclock said:
    mac_dog said:
    WTF??? How about paying teachers a decent salary. This is wrong on so many levels. 
    Teachers make good money. Why the hell should my school taxes buy equipment like this?
    Teachers are not even paid the money they are worth and deserve. Granted some principles and senior admins some time think they are "gods" lording over their little domains. But spending money on this equipment rather than PPE for their teachers is morally wrong!
Sign In or Register to comment.