from the let-he-who-is-without-security-breaches-throw-the-first-All-Writs-Order dept
Everything is compromised. In the latest case of a hacking company being hacked, Israel's Cellebrite is the latest to have its internal data hauled off by hackers. Joseph Cox of Motherboard was given inside details by the crew that claims to have spirited away login info and other data from the cell phone-cracking company.
Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite's products.
Included in the data haul are some other nifty surprises: evidence files from forensic searches of cell phones and logs from Cellebrite devices.
Cellebrite is a major supplier to US law enforcement, as well as to government agencies in countries with sketchier human rights records like Turkey, Russia, and the United Arab Emirates. In many ways, the company is similar to Italy's Hacking Team, which found itself hacked and its emailed dirty laundry aired by enterprising hackers unimpressed by the company's malleable morality.
What's truly interesting about this hack (and those similar to it) is that they go right to the heart of what's wrong with the DOJ's insistence that any "one-time" phone crack -- like the one they pursued in the San Bernardino mass shooting case -- would be safe as houses in the government's hands.
Riana Pfefferkorn -- who helped write an amicus brief on Apple's behalf (along with several other security researchers and professors) -- pointed out on Twitter that Cellebrite's hacking is exactly the sort of risk the government refused to seriously contemplate during its pursuit of an All Writs Order forcing Apple to open up the phone for the FBI.
If such a hack were created by Apple in response to a court order, there's no way for the FBI, Apple, or anyone else to plausibly claim it would be kept out of the hands of malicious actors. Companies in the business of breaking into devices aren't impervious to outside attacks. Neither is the US government, which has proven consistently weak when it comes to securing the massive amount of personally-identifiable information it collects from US citizens.
So far, the collected files haven't been shown to anyone but a few journalists, but Cox points out unauthorized access to Cellebrite isn't exactly a new thing.
Access to Cellebrite's systems has been traded among a select few in IRC chat rooms, according to the hacker.
“To be honest, had it not been for the recent stance taken by Western governments no one would have known but us,” the hacker told Motherboard. The hacker expressed disdain for recent changes in surveillance legislation.
Cellebrite's response to the hack is to claim that the only thing affected was a legacy server for end user licenses. Customers are being encouraged to change their passwords, but that comes a little too late to do much good. That license server may be the only thing breached through unauthorized means, but the log files and obtained evidence the hackers appear to have could easily have been taken out of the front end with compromised credentials.
The underlying fact is this: breaking protections like encryption or purchasing exploits to defeat it is something the FBI and other law enforcement entities will continue to advocate for, even while aware that it's impossible to claim definitively that the tools used won't be hijacked by someone else with more malicious motives. The Shadow Brokers' heist of NSA exploits shows that even if the government takes steps to protect what it has stored on its own servers, it can't prevent a disgruntled analyst from leaving a blackhat toolbag behind for others to find once a surveillance job is finished.