Cell Phone Hacking Company Hacked; 900 GB Of Logins, Log Files, And Forensic Evidence Taken

from the let-he-who-is-without-security-breaches-throw-the-first-All-Writs-Order dept

Everything is compromised. In the latest case of a hacking company being hacked, Israel's Cellebrite is the latest to have its internal data hauled off by hackers. Joseph Cox of Motherboard was given inside details by the crew that claims to have spirited away login info and other data from the cell phone-cracking company.

Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite's products.

Included in the data haul are some other nifty surprises: evidence files from forensic searches of cell phones and logs from Cellebrite devices.

Cellebrite is a major supplier to US law enforcement, as well as to government agencies in countries with sketchier human rights records like Turkey, Russia, and the United Arab Emirates. In many ways, the company is similar to Italy's Hacking Team, which found itself hacked and its emailed dirty laundry aired by enterprising hackers unimpressed by the company's malleable morality.

What's truly interesting about this hack (and those similar to it) is that they go right to the heart of what's wrong with the DOJ's insistence that any "one-time" phone crack -- like the one they pursued in the San Bernardino mass shooting case -- would be safe as houses in the government's hands.

Riana Pfefferkorn -- who helped write an amicus brief on Apple's behalf (along with several other security researchers and professors) -- pointed out on Twitter that Cellebrite's hacking is exactly the sort of risk the government refused to seriously contemplate during its pursuit of an All Writs Order forcing Apple to open up the phone for the FBI.

If such a hack were created by Apple in response to a court order, there's no way for the FBI, Apple, or anyone else to plausibly claim it would be kept out of the hands of malicious actors. Companies in the business of breaking into devices aren't impervious to outside attacks. Neither is the US government, which has proven consistently weak when it comes to securing the massive amount of personally-identifiable information it collects from US citizens.

So far, the collected files haven't been shown to anyone but a few journalists, but Cox points out unauthorized access to Cellebrite isn't exactly a new thing.

Access to Cellebrite's systems has been traded among a select few in IRC chat rooms, according to the hacker.

“To be honest, had it not been for the recent stance taken by Western governments no one would have known but us,” the hacker told Motherboard. The hacker expressed disdain for recent changes in surveillance legislation.

Cellebrite's response to the hack is to claim that the only thing affected was a legacy server for end user licenses. Customers are being encouraged to change their passwords, but that comes a little too late to do much good. That license server may be the only thing breached through unauthorized means, but the log files and obtained evidence the hackers appear to have could easily have been taken out of the front end with compromised credentials.

The underlying fact is this: breaking protections like encryption or purchasing exploits to defeat it is something the FBI and other law enforcement entities will continue to advocate for, even while aware that it's impossible to claim definitively that the tools used won't be hijacked by someone else with more malicious motives. The Shadow Brokers' heist of NSA exploits shows that even if the government takes steps to protect what it has stored on its own servers, it can't prevent a disgruntled analyst from leaving a blackhat toolbag behind for others to find once a surveillance job is finished.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 13 Jan 2017 @ 5:45am

    Some of us will remember old 'out of the blue' troll that kept whining how copyright being used as censorship were all anomalies. Well, he could as well as be a Govt employee because that's how the Govt handles most things like this:

    Govt - It won't happen, trust us!
    Sane person - It has already happened before [pointing at factual events].
    Govt - No worries dear citizen, it was an anomnaly and won't happen again!
    Sane person - That's what you said last time.
    Govt - But this time we are absolutely positively sure it won't happen!
    Sane person - Erm.. It seems it already happened [points at leaks].
    Govt - CUUUUUUURSE YOU MASNICK!!!!

    (This last part is fictitious and was added as an artistic touch pretending the Govt employee in the conversation is our beloved and absent troll)

    reply to this | link to this | view in chronology ]

    • icon
      ThaumaTechnician (profile), 13 Jan 2017 @ 7:19am

      Re:

      You forgot one:
      Govt - Why are you talking about this? It's old news.
      (Usually a few weeks after vehemently denying it ever happened at all.)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jan 2017 @ 7:39am

        Re: Re:

        I suppose it's better than the golden ddecor at the New, Improved Trump House!

        reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 13 Jan 2017 @ 8:49am

          Re: Re: Re:

          Are you suggesting that The Donald will redecorate the White House to look like a casino? Will there be any way to tell the difference, even if one does not look at the decor?

          reply to this | link to this | view in chronology ]

          • icon
            Ninja (profile), 13 Jan 2017 @ 9:24am

            Re: Re: Re: Re:

            Oh, it isn't a casino?

            reply to this | link to this | view in chronology ]

          • icon
            DannyB (profile), 13 Jan 2017 @ 1:13pm

            Re: Re: Re: Re:

            I will build a casino wing onto the capital building once I move in.
            Hey, I've seen a lot of casinos.
            This is the best, classiest casino you're ever going to see.
            Everyone who's ever come near one of my Trump casinos has said that they loved it.
            This casino will restore dignity and respect to the political process.
            Trust me, I know my casinos.
            And if some people don't want the casino, then we'll make it even bigger.
            And we'll make them pay for it.
            Trust me, I know what I'm talking about. Classy beautiful stuff.
            And I'll build a clown circus wing on to the white house.
            I can use it to give speeches from the center ring. People will just love it.
            It will be a historical addition unlike anything the founders could have imagined.
            Trust me.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jan 2017 @ 6:39am

    Keeping evidence

    When a company helps with a forensic investigation, is there not any requirement that they delete their copies of the data afterward? Or at least move them to offline storage? And don't law enforcement have a responsibility to protect privacy by imposing such terms?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jan 2017 @ 6:50am

    Taking care of number one.

    > something the FBI and other law enforcement entities will continue to advocate for

    The FBI cares about the FBI first. The rest of the nation is a distant second.

    reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 13 Jan 2017 @ 7:25am

    Modified veraion

    I know this is silly. But shouldn't we start clumping the United States into the category of nations with sketchier human right violations. After all, we have torture with the CIA, hidden interrogation cells with the Chicago PD, and a government that spies on all citizens real time. And let's not forget, invades / liberates other nations at whim.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jan 2017 @ 7:37am

      Re: Modified veraion

      Start? Why do you think we should have ever stopped?

      The founding fathers were clear. Every nation is naturally turn to tyranny, it is the citizens job to stop it. Not that the "hey, its not out fault" visitors to TD would ever agree.

      They like most other people prefer (as the Declaration of Independence states)...

      "Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed."

      Every time something happens, some fool clamors to the Government "why didnt you protect us?" and the government puts in a new law to remove liberty while still failing to protect, repeat ad nausea.

      The same as all of the "we need regulation" idiots that abound in this place. Constantly blaming a free market, that does not exist, for problems caused by typical human greed and corruption.

      Every Nation gets the government it deserves!
      A simple truth that pisses off those in denial to no end.

      reply to this | link to this | view in chronology ]

      • identicon
        Donald Trump's Hair, 13 Jan 2017 @ 7:45am

        Re: Re: Modified veraion

        You make me look smart.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jan 2017 @ 12:37pm

        Re: Re: Modified veraion

        Everyone gets what they deserve. It's called personal responsibility.

        reply to this | link to this | view in chronology ]

        • icon
          DannyB (profile), 13 Jan 2017 @ 1:17pm

          Re: Re: Re: Modified veraion

          I always find it amusing that the people who believe or claim to believe in personal responsibility don't believe in corporate responsibility.

          Yet: corporations are people too!

          So why wouldn't personal responsibility == corporate responsibility?

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jan 2017 @ 12:52pm

        Re: Re: Modified veraion

        Every Nation gets the government it deserves! A simple truth that pisses off those in denial to no end.

        I see. So, let's take one of many, many examples from history: Poland. When the Nazis invaded Poland and took over the government it was because the Poles deserved it. They had it coming to them. Yeah, I see how that works. I wonder why they leave that part out of the history books. But wait, I bet it's in your own personal history book. Am I right?

        reply to this | link to this | view in chronology ]

        • identicon
          Wendy Cockcroft, 16 Jan 2017 @ 7:37am

          Re: Re: Re: Modified veraion

          Be fair, AC: he means we're not doing enough to push back or to hold our representatives to account, which is true. Many of us may be making the effort, to be fair, but not enough of us are doing so to make a difference and that's mostly down to partisan pattycake.

          That old divide 'n' conquer strategy has proved very effective and it's costing us dearly. We need to be more willing to take the time to educate our friends and neighbours on the issues whether we agree with their general stances or not. We might not get them on side all of the time on everything but we might be able to get them onside on enough of the issues some of the time to make a real difference.

          reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 13 Jan 2017 @ 7:51am

    Obviously the nearly a terabyte of information that was taken were all just cat videos and stupid memes from Facebook downloads.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jan 2017 @ 8:03am

    Schadenfreude

    Only in this seriously screwed up world would this qualify as funny.

    Yet I find myself LMAO!

    (And I thought that Cellebrite was something they sold on late night TV to clean dentures.)

    reply to this | link to this | view in chronology ]

  • icon
    McKay (profile), 13 Jan 2017 @ 9:10am

    Taken?

    Oh, was the information taken? Was this a theft of some kind?

    reply to this | link to this | view in chronology ]

  • identicon
    oliver, 14 Jan 2017 @ 9:14am

    ha ha ha ha, that couldnt have happened to a shadier bunch of assholes! Serves them right
    Cellebrite dellenda est!

    reply to this | link to this | view in chronology ]

  • identicon
    mehak, 18 Jan 2017 @ 8:13pm

    easy to hack

    with the time hacking of Android phones is increased.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.