Cellebrite and Law Enforcement Expect Us to Trust Them, Yet Their Tools Are on eBay?

I’ve already talked on and on about how various governments expect to be able to require backdoors into encrypted data, including mobile devices. When it’s pointed out that any backdoor will eventually be used by hackers, the usual response from law enforcement is to “trust us” because they have some magic ability to prevent hackers from learning about their backdoors, or having anyone in their organization misuse that backdoor.

As usual, a simple reading of the news shows us how completely untrue that is, with myriad stories of law enforcement, government agency, and third-party employees misusing their access, to stalk exes, spy on cute girls, and worse. Nonetheless, the argument goes on, unabated by any actual facts.

Now, it turns out that Cellebrite, the Israeli company that makes a device specifically sold to law enforcement to enable them to hack various mobile devices, has no idea where those devices end up. Some of them oddly enough, are for sale on eBay. Not only that, they haven’t been wiped before being sold on eBay and still have information about investigations on them.

Gee, how did that happen? Could it be that some of those super-trustworthy law enforcement agents were less than careful about getting rid of their old devices? Could they have been looking to make a quick buck reselling them despite the purchase terms including a prohibition against that very thing?

I have questions. Would anyone from law enforcement, or Cellebrite for that matter, care to answer them?

1. Why should anyone blindly trust that encryption backdoors won’t get misused when you can’t even keep track of your own hacking tools?
2. If any of these devices were to be used by “Joe Public”, wouldn’t that be a violation of hacking laws, punishable with prison time? (Unauthorized access to a computer network/device)
3. Should someone’s device get hacked because one of these was available on eBay, would Cellebrite and the agency they sold that device to, be liable? (By not tracking their own tools, have they aided the commission of a crime?)
   1. Sub question – think of it this way. Cellebrite is allowed to sell a tool that you or I would be in jail for selling. They are, I assume, allowed to do that because they limit sales to only permissible customers, and not to the public. If their process allows for this, why are they allowed to sell it in the US at all?
   2. Also, if someone at a law enforcement agency is selling off equipment that allows illegal hacking to take place, they should be in jail too.
   3. And yes, the eBay seller is in the same boat, in my, humble, non-lawyer opinion.

Given all of that, as this story breaks, why aren’t we hearing anything about investigations? If the device requires being hacked itself in order to work after being picked up on eBay, then OK, Cellebrite may be off the hook legally, but it is fairly instructive that the tool used by law enforcement to hack into locked devices, is, ironically, capable of being hacked. At the very least, there are some LEOs out there who are incompetent when it comes to protecting investigative information, though.

If you’re going to make and use hacking tools to enable criminal investigators access to mobile devices, you can’t have this sort of thing all over the internet and expect us to continue trusting you. Sorry, I don’t.

h/t to the Sensei Digital Forensics Dispatch

Follow these topics: Tech