this post was submitted on 20 Aug 2023
380 points (98.2% liked)

Technology

59598 readers
3376 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Cellebrite asks cops to keep its phone hacking tech ‘hush hush’ | TechCrunch::For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and In a leaked video, a Cellebrite employee urges law enforcement customers to keep their use of its phone hacking technology secret.

all 30 comments
sorted by: hot top controversial new old
[–] [email protected] 85 points 1 year ago

Reminder: They're using your tax dollars to pay other companies to spy on you. This will only get worse.

[–] zaph 82 points 1 year ago (2 children)
[–] [email protected] 35 points 1 year ago

I really love Signal.

[–] [email protected] 26 points 1 year ago

That was the article that introduced me to signal, very good read.

[–] [email protected] 51 points 1 year ago (2 children)

They'll do their best to keep this out of the courtroom. This is a spying tool for parallel construction and espionage (corporate, political, etc) and they do not want to get called onto the stand under oath to testify about it.

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago)

Yes they will, and it will work. It's not like this is the first time fascists built tools for other fascists to use on the public illegally, then once it came to light the tired, sick, worked to death population did exactly what they were conditioned to do, nothing, because they can't, they have no power, because they have been drained by corporate fascists so they have no recourse, no say in anything, it's just go back to work to make sure you're not eating out of garbage cans by next month.

The public is apathetic, but it's by design, if you don't already know about Edward Bernays then I suggest looking him up and finding out how they control the public. This however feels vary familiar, there was a scandal in the 90s about Stingray devices being used illegally by guess who..... fascist cops doing what the fascist propaganda taught them their whole life, get those "criminals" anyway you can, even if you have to become the highest order of criminal scum to do so, all those cop shows conditioned those fascists just right (no pun intended.) In other words this is just business as usual. Here's a link to Wikipedia about Stingray devices if you're interested. https://en.m.wikipedia.org/wiki/Stingray_use_in_United_States_law_enforcement

[–] [email protected] 5 points 1 year ago

I’m sorry but this is just not true.

Any given criminal case these days is lousy with cellebrite reports.

[–] [email protected] 47 points 1 year ago

I like this part...

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

[–] [email protected] 37 points 1 year ago

This is the best summary I could come up with:


This request concerns legal experts who argue that powerful technology like the one Cellebrite builds and sells, and how it gets used by law enforcement agencies, ought to be public and scrutinized.

“We don’t really want any techniques to leak in court through disclosure practices, or you know, ultimately in testimony, when you are sitting in the stand, producing all this evidence and discussing how you got into the phone,” the employee, who we are not naming, says in the video.

“The results these super-secretive products spit out are used in court to try to prove whether someone is guilty of a crime,” Riana Pfefferkorn, a research scholar at the Stanford University’s Internet Observatory, told TechCrunch.

“The accused (whether through their lawyers or through an expert) must have the ability to fully understand how Cellebrite devices work, examine them, and determine whether they functioned properly or contained flaws that might have affected the results.”

“And anyone testifying about those products under oath must not hide important information that could help exonerate a criminal defendant solely to protect the business interests of some company,” said Pfefferkorn.

“It’s super important to keep all these capabilities as protected as possible, because ultimately leakage can be harmful to the entire law enforcement community globally,” the Cellebrite employee says in the video.


The original article contains 821 words, the summary contains 217 words. Saved 74%. I'm a bot and I'm open source!

[–] [email protected] 28 points 1 year ago (1 children)

If the cops have it then the crims have it too. That's the way it worlds. Every time.

[–] [email protected] -2 points 1 year ago

Since criminals are no longer wearing jail stripes and black opera masks lets get more specific: Industrial spies are the ones who will steal your trade secrets and slush fund accounting records to assure that your business tanks and they get the juicy contracts.

National spies already have this gear, but so do our counter-espionage departments...hypothetically.

[–] [email protected] 21 points 1 year ago (3 children)

Anyone know what Cellebrite can hack these days? I thought many of the latest phones and software versions had closed their vulnerabilities. Does anyone have data on which phones and OS versions are still vulnerable?

[–] [email protected] 14 points 1 year ago (1 children)

I very briefly worked for one of their competitors a few years back. These devices are pretty much limited to whatever you can do with root on android or jailbreaking iOS. If a person has a modern phone and a good sense of op-sec, chances are they can't get much. These things basically work by doing backups then analyzing those backups offline, searching in known locations for non-encrypted databases and images. On android they can also do things through adb, like automated screenshots.

If you hand the cops a powered off non-rooted,locked bootloader, non-jailbroken phone and use e.g. signal, there's not much they'll be able to see. Of course, there seem to be other firms that operate at a higher level, and have some encryption breaking capabilities, but that's not going to be accessible to your average cop.

[–] [email protected] -1 points 1 year ago

Some cryptography / privacy experts see this as a happy medium, in which it's expensive (time and resource intensive) to get into a phone's data, discouraging law enforcement from cracking open a phone on a whim (say, if officers are just fishing for probable cause because they don't have the warrant they want, or an officer is spying on their ex.)

Law enforcement is notorious for abusing forensic technology whether IMSI-catchers to locate phones or $2 chemical drug field tests which react positive to sugar and ashes in an urn: They're not supposed to be use as a final arbiter that something is a controlled substance rather that a sample should be sent to a lab. But They're great for establishing probable cause which is grounds for an invasive search.

Throughout the US, most precincts have been repurposed to finding and securing any easily liquidatable assets using asset forfeiture laws on the pretense that the found lucre is criminal (it's very difficult and costly to prove otherwise, sometimes taking decades) and police teams will take apart a car (or cavity search a woman) if they've been tipped the target is loaded with something worth grabbing.

Oh and since around 2013, the NSA has been sending money-in-transit tips to local precincts, what theyve gleaned from PRISM. Purpose creep!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

My wife works an cellebritete. Its a device you connect to any phone and it gets evidence police is looking for. It can scan ANYTHING on the phone in seconds. This includes messages in applications, phone calls, images, appilcation data. Anything.

The smart thing about this is (if used under legal hands under a non corrupt government/entity) is it can be set up to only spit out relevant evidence by some search predicate / criteria and nothing else incriminating.

So for example if someone is arrested for kidnaping and they want to know if the suspect is really a kidnapper and maybe where the victim is it can spit out anything related to the case in question but nothing else incriminating on unrelated stuff.

It does this in under a set of rules admissible in court. IE the evidence cannot be tampered with (even by police) , it assures that the evidence is actually from that specific phone and wasnt touched and so on…

[–] [email protected] 6 points 1 year ago (2 children)

Yeah, but phones have encryption and security. In order to get access to the data on the phone, cellebrite is hacking the device to circumvent the security measures and break the encryption, which is illegal for any individual to do, and should also be illegal for a corporation to do (corporations are individuals, legally speaking).

Phone manufacturers do not want companies like cellebrite breaking into their devices because it can be used for nefarious purposes. If cellebrite can get in, any other hacker can get in. So, phone makers are always closing these security vulnerabilities where they can find them.

[–] [email protected] 0 points 1 year ago

Cellebrite is (hopefully) used under the law. They either get warrant or use a perpetual warrant on urgent security stuff. At least in countries with proper laws and abiding police.

Hackers sure indeed can use the insecurities cellebrite is using. But cellebrite has massive amount of budget for finding insecurities which normal hackers / people lack.

[–] [email protected] -5 points 1 year ago (1 children)

Illegal to hack my own phone? Not even close

[–] [email protected] 2 points 1 year ago (1 children)

It’s like you’re trying to miss the point.

[–] [email protected] -4 points 1 year ago (1 children)

It’s a comment, not my opening arguments to the debate, it’s perfectly legal to “hack” things you own, especially your fucking phone which pokes a hole in your argument that therefore companies shouldn’t be able to either.

It’s illegal to break into other peoples stuff, not your own which is why these loopholes holes will always exist for “consumers” who wish to “get back into their own stuff”

How would making it illegal for companies to find security holes in other companies phones prevent cops from going to underground sources if what they’re doing now is so illegal?

Idk maybe I have missed your point, I really don’t see how the logic follows

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I do agree it seems legal to hack the things you own. My comment has nothing to do with that, so your comment felt like a nonsequiter, or at best a straw man.

In this case, cellebrite is not hacking things it owns. It is hacking things other people own. It is bizarre to me how this is legal given the laws against it that individuals have been prosecuted with. Also, doing security research to find vulnerabilities usually results in disclosing those vulnerabilities to the software producer. In this case, cellebrite is not doing that because it would not like to see those vulnerabilities patched.

[–] [email protected] 1 points 1 year ago (1 children)

Cellebrite not disclosing the vulnerabilities isn’t very “nice” but it’s not the law. I’m definitely not arguing for this company being ethical in any way. They’re also not the one hacking other peoples devices. They just make the device that is capable of doing so.

Forgive the analogy, but they’re basically making guns. Now whether or not we should allow anyone to make weapons that could impact others is another question we’ve not had sufficient time to discuss legally yet. Mostly because the govt in my country is old as shit and mostly clueless about tech

[–] [email protected] 1 points 1 year ago (1 children)

They do hack the devices though. https://9to5mac.com/2022/02/10/cellebrite-kit-cant-unlock-iphones/

To follow your gun analogy, it’s like “we won’t sell you this special gun, but for a fee we can be your hit man.”

[–] [email protected] 1 points 1 year ago

Oh…

Yeah that’s not so great and should definitely be handled. How do they know for example that you’re with the police for sure or not etc etc

[–] [email protected] 4 points 1 year ago (1 children)

The question is which devices it works on. Probably mostly older ones, but I wouldn't be surprised if they invest heavily into zero day research and can do some stuff with newer ones as well.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

I wrote with 100% confidence: all of them. This is what they are a zero day warehouse company and trader.

[–] sweeny 2 points 1 year ago (1 children)

It's true, my uncle's cousin works for Cellebrite and says they can even hack into our brains

[–] [email protected] 2 points 1 year ago

I trust you, bro

[–] [email protected] -2 points 1 year ago

Laughs in FDE pinephone