Most US Cabinet Departments have bought Cellebrite iPhone hacking tool

Posted:
in iOS
A new report claims that 14 out of 15 US Cabinet Departments bought Cellebrite, the iOS unlocking technology, with the company saying 2,800 of its customers work in the government.




Cellebrite has famously been unlocking iPhones for many years, and the data extraction app itself has had security vulnerabilities. Nonetheless, it has been widely used around the world - and even in US public schools.

According to The Intercept, that reach has extended to all but one of the USA's Cabinet Departments. The publication has not identified the sole department not using Cellebrite.

The Intercept claims that Federal purchasing records and Cellebrite securities documents seen by the publication, also show that several other federal agencies. Government buyers of Cellebrite include:

  • US Fish and Wildlife Service

  • Department of Agriculture

  • Department of Education

  • Department of Veterans Affairs

  • Housing and Urban Development

  • Social Security Administration

  • US Agency for International Development

  • Centers for Disease Control and Prevention

In those securities filings, the Cellebrite company reported having over 2,800 government customers in North America. Also that its clients include 6 out of 10 of the world's largest pharmaceutical companies, and 6 out of 10 of the largest oil refiners.

Separately, the FBI has recently been reported to have evaluated buying the NSO Group's more powerful Pegasus software, for domestic surveillance.

Read on AppleInsider
«1

Comments

  • Reply 1 of 26
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    williamlondon
  • Reply 2 of 26
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    I’m curious what evidence you have of this because I find it very difficult to believe that Apple would need a third-party vendor’s tool to copy their own product.
    GeorgeBMacJaiOh81mwhitemike1ronnlavanderfieldscornchipmacxpresszeus423viclauyyc
  • Reply 3 of 26
    peteopeteo Posts: 402member
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    Yes apple (well one of it's shell companies) 100% does have at least one of these. They use it to learn of the exploits Cellebrite is using so they can fix them.


    cornchipwatto_cobra
  • Reply 4 of 26
    22july201322july2013 Posts: 3,060member
    I'm pretty sure Cellebrite is the company name, NOT the product name. The product name is UFED Premium, I think. I googled it.

    Also, I suspect that you can't buy a UFED Premium. It's probably leased, and has to be returned at end of lease. But I'm just using common sense here.
    edited February 9
  • Reply 5 of 26
    macbear01 said:
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    I’m curious what evidence you have of this because I find it very difficult to believe that Apple would need a third-party vendor’s tool to copy their own product.
    When I worked at Apple Retail we used to use a Cellebrite to transfer contacts and other data from non-iPhones to iPhones as part of the setup process. The process was a little clunky and it didn’t always work but all retail stores had the device. The units I used did not look like the one pictured in this article. I also have no knowledge of if they are currently in use at Apple Stores, but they definitely were in the past. 
    grandact73williamhwatto_cobra
  • Reply 6 of 26
    GeorgeBMacGeorgeBMac Posts: 11,421member
    I have no trouble with government being able to unlock and examine phones.
    But, it needs to follow the same procedures established centuries ago for unlocking and examining one's home or office.

    I find it highly unlikely that all these agencies are doing that.
    Or, possibly, this has nothing to do with searching a phone and instead is being used by IT departments to unlock phones after their user left the organization and the phone was returned to the IT dept -- or the user simply forgot the passcode and IT has unlock it for them?
    cornchipbyronl
  • Reply 7 of 26
    rob53rob53 Posts: 3,010member
    I could care less about whether Apple has one of these devices but I do want to know what kind of procurement justification these government buyers used. In my opinion none of them have any legitimate justification to buy one, especially from a sensitive country like Israel. This requires additional paperwork and high level approval, except for those three-letter agencies that get dark money from Congress. Looking at the list I can't see how any of them received the justification for a hacking tool. I hope someone files a FOIA request for procurement records because I doubt they had any justification for buying them. As for the pharmaceuticals and oil refineries, I could see this hacking tool used to make sure employees aren't stealing corporate information but there's other ways of dealing with that (MDM systems logging all communications made by company devices, which is absolutely legal). Government-procured mobile devices have the same right to access all their devices and shouldn't have to rely on hacking tools, if they're configured properly the system administrator already has all the information they need. This is why certain politicians use personal phones to conduct government business (illegal) to not get caught so easily. 
    ronndarkvaderwilliamlondonwatto_cobra
  • Reply 8 of 26
    DAalsethDAalseth Posts: 2,211member
    rob53 said:
    I could care less about whether Apple has one of these devices but I do want to know what kind of procurement justification these government buyers used. In my opinion none of them have any legitimate justification to buy one, especially from a sensitive country like Israel. This requires additional paperwork and high level approval, except for those three-letter agencies that get dark money from Congress. Looking at the list I can't see how any of them received the justification for a hacking tool. I hope someone files a FOIA request for procurement records because I doubt they had any justification for buying them. As for the pharmaceuticals and oil refineries, I could see this hacking tool used to make sure employees aren't stealing corporate information but there's other ways of dealing with that (MDM systems logging all communications made by company devices, which is absolutely legal). Government-procured mobile devices have the same right to access all their devices and shouldn't have to rely on hacking tools, if they're configured properly the system administrator already has all the information they need. This is why certain politicians use personal phones to conduct government business (illegal) to not get caught so easily. 
    This was my first thought. WTH does Social Security or HUD need with a hacking tool? Can’t be for an investigation because if they suspect fraud then it gets turned over to the Justice Department. And I don’t buy @GeorgeBMac ‘s idea that they would use it for routine IT functions like unlocking a phone when the PW is lost. Talk about using a sledgehammer to kill a spider. 
    cornchip
  • Reply 9 of 26
    mike1mike1 Posts: 3,023member
    peteo said:
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    Yes apple (well one of it's shell companies) 100% does have at least one of these. They use it to learn of the exploits Cellebrite is using so they can fix them.



    Now, that makes total sense.
    watto_cobra
  • Reply 10 of 26
    GeorgeBMacGeorgeBMac Posts: 11,421member
    DAalseth said:
    rob53 said:
    I could care less about whether Apple has one of these devices but I do want to know what kind of procurement justification these government buyers used. In my opinion none of them have any legitimate justification to buy one, especially from a sensitive country like Israel. This requires additional paperwork and high level approval, except for those three-letter agencies that get dark money from Congress. Looking at the list I can't see how any of them received the justification for a hacking tool. I hope someone files a FOIA request for procurement records because I doubt they had any justification for buying them. As for the pharmaceuticals and oil refineries, I could see this hacking tool used to make sure employees aren't stealing corporate information but there's other ways of dealing with that (MDM systems logging all communications made by company devices, which is absolutely legal). Government-procured mobile devices have the same right to access all their devices and shouldn't have to rely on hacking tools, if they're configured properly the system administrator already has all the information they need. This is why certain politicians use personal phones to conduct government business (illegal) to not get caught so easily. 
    This was my first thought. WTH does Social Security or HUD need with a hacking tool? Can’t be for an investigation because if they suspect fraud then it gets turned over to the Justice Department. And I don’t buy @GeorgeBMac ‘s idea that they would use it for routine IT functions like unlocking a phone when the PW is lost. Talk about using a sledgehammer to kill a spider. 

    Good point on the sledge hammer analogy.
    But think about it:   How would Social Security or HUD (or most of the others) even come to possess a phone to unlock if it didn't originate from that agency?
    Police can easily confiscate stuff as "evidence" (they even used that line in AppleTV's latest comedy series) but these other agencies can't realistically do that.  Any phones they have are likely their own.

    Having worked IT support for a regional RedCross operation, I found "I forgot my passcode" to be a pretty typical request.   And, if the person asking is an executive or critical person, telling them that you'll wipe their phone would not go over well.


  • Reply 11 of 26
    I have no trouble with government being able to unlock and examine phones.
    But, it needs to follow the same procedures established centuries ago for unlocking and examining one's home or office.

    I find it highly unlikely that all these agencies are doing that.
    Or, possibly, this has nothing to do with searching a phone and instead is being used by IT departments to unlock phones after their user left the organization and the phone was returned to the IT dept -- or the user simply forgot the passcode and IT has unlock it for them?
    I don’t think the government should have this power. Just as I don’t think the police should be allowed to go into your house without getting your permission, like in the case of a no knock warrant. I would also argue that you might have a little too much faith in the government if you think they’re not using the phone to unlock criminals phones. Not to mention the government loves wasting money. 
    edited February 9 StrangeDays
  • Reply 12 of 26
    DAalsethDAalseth Posts: 2,211member
    DAalseth said:
    rob53 said:
    I could care less about whether Apple has one of these devices but I do want to know what kind of procurement justification these government buyers used. In my opinion none of them have any legitimate justification to buy one, especially from a sensitive country like Israel. This requires additional paperwork and high level approval, except for those three-letter agencies that get dark money from Congress. Looking at the list I can't see how any of them received the justification for a hacking tool. I hope someone files a FOIA request for procurement records because I doubt they had any justification for buying them. As for the pharmaceuticals and oil refineries, I could see this hacking tool used to make sure employees aren't stealing corporate information but there's other ways of dealing with that (MDM systems logging all communications made by company devices, which is absolutely legal). Government-procured mobile devices have the same right to access all their devices and shouldn't have to rely on hacking tools, if they're configured properly the system administrator already has all the information they need. This is why certain politicians use personal phones to conduct government business (illegal) to not get caught so easily. 
    This was my first thought. WTH does Social Security or HUD need with a hacking tool? Can’t be for an investigation because if they suspect fraud then it gets turned over to the Justice Department. And I don’t buy @GeorgeBMac ‘s idea that they would use it for routine IT functions like unlocking a phone when the PW is lost. Talk about using a sledgehammer to kill a spider. 

    Good point on the sledge hammer analogy.
    But think about it:   How would Social Security or HUD (or most of the others) even come to possess a phone to unlock if it didn't originate from that agency?
    Police can easily confiscate stuff as "evidence" (they even used that line in AppleTV's latest comedy series) but these other agencies can't realistically do that.  Any phones they have are likely their own.

    Having worked IT support for a regional RedCross operation, I found "I forgot my passcode" to be a pretty typical request.   And, if the person asking is an executive or critical person, telling them that you'll wipe their phone would not go over well.


    I know what you mean about not going over well. The controller of the University I worked for got hit with the I Live You malware. He called me because he’d gotten like a dozen of the emails and “none of the damned attachments will open”. Yeah he wasn’t the brightest bulb. I had to tell him his system was completely compromised and had to be nuked. Sorry but the documents on your desktop gone you should have stored them on the network.  And the pictures of your kids. All gone too.  Can’t save anything  

    That didn’t go over well. 

    GeorgeBMac
  • Reply 13 of 26
    22july201322july2013 Posts: 3,060member
    I have no trouble with government being able to unlock and examine phones.
    But, it needs to follow the same procedures established centuries ago for unlocking and examining one's home or office.

    I find it highly unlikely that all these agencies are doing that.
    Or, possibly, this has nothing to do with searching a phone and instead is being used by IT departments to unlock phones after their user left the organization and the phone was returned to the IT dept -- or the user simply forgot the passcode and IT has unlock it for them?
    I don’t think the government should have this power. Just as I don’t think the police should be allowed to go into your house without getting your permission, like in the case of a no knock warrant. I would also argue that you might have a little too much faith in the government if you think they’re not using the phone to unlock criminals phones. Not to mention the government loves wasting money. 
    I certainly don't want you to think that I'm on GBM's side of this or any issue, (I'm probably never on GBM's side) but I have a question for you. If the US government (I presume that's the government you are referring to) isn't permitted to get access to your house, phone or bank accounts without your permission, then how do you feel about Americans doing business in other countries where the government not only DOES have access to those things, but REQUIRES that anyone doing business in those countries grant them access to those things? If you are an international business person, do you just hand those things over to a foreign government without a fight? Are you comfortable with handing over all your inalienable rights to any dictators/foreigners, but not to the US government?
  • Reply 14 of 26
    1348513485 Posts: 239member
    I have no trouble with government being able to unlock and examine phones.
    But, it needs to follow the same procedures established centuries ago for unlocking and examining one's home or office.

    I find it highly unlikely that all these agencies are doing that.
    Or, possibly, this has nothing to do with searching a phone and instead is being used by IT departments to unlock phones after their user left the organization and the phone was returned to the IT dept -- or the user simply forgot the passcode and IT has unlock it for them?
    I don’t think the government should have this power. Just as I don’t think the police should be allowed to go into your house without getting your permission, like in the case of a no knock warrant. I would also argue that you might have a little too much faith in the government if you think they’re not using the phone to unlock criminals phones. Not to mention the government loves wasting money. 
    For the essay portion of your test:

    If you don't think governments should have this power, should for-profit corporations have this power? Compare and contrast.
    Further, are you saying a suspect should be able to destroy evidence, rape, kill or conduct any criminal activities as long as he/she doesn't answer the doorbell (PS To prevent this is why they have "exigent circumstances" in certain cases to allow law enforcement to enter a a building without announcing their presence)
    GeorgeBMac
  • Reply 15 of 26
    22july201322july2013 Posts: 3,060member
    13485 said:
    I have no trouble with government being able to unlock and examine phones.
    But, it needs to follow the same procedures established centuries ago for unlocking and examining one's home or office.

    I find it highly unlikely that all these agencies are doing that.
    Or, possibly, this has nothing to do with searching a phone and instead is being used by IT departments to unlock phones after their user left the organization and the phone was returned to the IT dept -- or the user simply forgot the passcode and IT has unlock it for them?
    I don’t think the government should have this power. Just as I don’t think the police should be allowed to go into your house without getting your permission, like in the case of a no knock warrant. I would also argue that you might have a little too much faith in the government if you think they’re not using the phone to unlock criminals phones. Not to mention the government loves wasting money. 
    For the essay portion of your test:

    If you don't think governments should have this power, should for-profit corporations have this power? Compare and contrast.
    Further, are you saying a suspect should be able to destroy evidence, rape, kill or conduct any criminal activities as long as he/she doesn't answer the doorbell (PS To prevent this is why they have "exigent circumstances" in certain cases to allow law enforcement to enter a a building without announcing their presence)
    You are being fairly friendly in your post, but I didn't draw the same conclusion that you did that he opposed the idea of a warrant. In that case he was not saying anyone could conduct criminal actives as long as they don't answer the door. I think you drew a little too much into his lack of mentioning warrants.
  • Reply 16 of 26
    macbear01 said:
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    I’m curious what evidence you have of this because I find it very difficult to believe that Apple would need a third-party vendor’s tool to copy their own product.
    Erm…. I worked there. I used the tool multiple times. Generally it was used to transfer Android phones to iPhone. (This was in 2017). So this isn’t hearsay or guesses, this is fact. 
    GeorgeBMac
  • Reply 17 of 26
    Well if the government has this tool, then why are they whining about needing encryption back doors? Seems like they can access the data just fine.
  • Reply 18 of 26
    I bet this product comes with a license agreement with rules against reverse engineering the code or hacking it.
    Hopefully someone who purchased a license will slip Apple a copy of each new version.
  • Reply 19 of 26
    crowleycrowley Posts: 10,363member
    Mac4mac said:
    macbear01 said:
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    I’m curious what evidence you have of this because I find it very difficult to believe that Apple would need a third-party vendor’s tool to copy their own product.
    Erm…. I worked there. I used the tool multiple times. Generally it was used to transfer Android phones to iPhone. (This was in 2017). So this isn’t hearsay or guesses, this is fact. 
    To what?
  • Reply 20 of 26
    crowley said:
    Mac4mac said:
    macbear01 said:
    Mac4mac said:
    You do know Apple themselves use the devices, not to hack, but to “device to device” copy. 
    Obviously the software may not be exactly the same. There’s an irony in there somewhere! 
    I’m curious what evidence you have of this because I find it very difficult to believe that Apple would need a third-party vendor’s tool to copy their own product.
    Erm…. I worked there. I used the tool multiple times. Generally it was used to transfer Android phones to iPhone. (This was in 2017). So this isn’t hearsay or guesses, this is fact. 
    To what?
    To the point that was made earlier in the discussion that Apple USED to use a Cellbrite device. Now these devices are not the same as the ones sold to law enforcement. The ones Apple used were to help copy contacts from old non smartphones to iPhones. I’ve also seen the same device at Verizon and Best Buy. It’s a small windows based device with two ports and a program that helps you transfer over phone numbers and media. It came with an assortment of cables to be used for older cellphones. Once iCloud and other technologies came out to transfer information they disappeared. 
    GeorgeBMac
Sign In or Register to comment.