Vice Motherboard: US State Police Have Spent Millions on Israeli Phone Cracking Tech

Original article published by Vice Motherboard.

By Joseph Cox

This is part of a Motherboard mini-series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

Data from mobil devices

When cops have a phone to break into, they just might pull a small, laptop-sized device out of a rugged briefcase. After plugging the phone in with a cable, and a few taps of a touch-screen, the cops have now bypassed the phone’s passcode. Almost like magic, they now have access to call logs, text messages, and in some cases even deleted data.

State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones, according to documents obtained by Motherboard. Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company in particular has cornered the trade in mobile phone forensics equipment across the United States.

Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages. Cellebrite’s products can also circumvent the passcode locks or other security protections on many current mobile phones. The gear is typically used to gather evidence from a criminal suspect’s device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.

Previous reports have focused on federal agencies’ acquisition of Cellebrite tools. But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.

Cellebrite tool

Cellebrite has sold its wares to regional agencies in 20 states, and likely many more, according to the cache of documents acquired by Motherboard. Those items specifically include Cellebrite’s range of Universal Forensic Extraction Devices (UFED); the typically laptop-sized or handheld devices for hoovering up data from phones. Some of the agencies note in the documents that they use the technology for legal searches of devices.

Cellebrite does not publicly comment on its customers, and did not respond to a request for an interview on the company’s US strategy.

According to a spreadsheet detailing what models of phones Cellebrite can handle, the UFED can extract data from thousands of different mobile devices. It can’t, however, extract the passcode on the iPhone 4s or above.

“We use it for any and all crimes,” Nate McLaren, Special Agent in Charge at the Iowa Department of Public Safety’s Cyber Crime Unit and Internet Crimes Against Children Task Force, told Motherboard in a phone call. “Anywhere we think there might be a digital footprint or a digital fingerprint.”

Map of U.S. with figures for use of Cellebrite tools

To get a better idea of the extent mobile phone forensics technology has trickled down from the federal level, Motherboard filed public record access requests with state police forces and highway patrols in every US state, asking for records from 2010 to this year. Some agencies diverted the request to respective state Department of Public Safety or other similar institutions. Others declined to release the records, pointing to exemptions in local law; a few demanded excessively high fees for the documents to be released, and some did not respond to the requests at all. Some agencies only retained related records for five years, so provided those.

In all, Motherboard has obtained documents from agencies in 20 states, including the Illinois State Police, Missouri State Highway Patrol, and Arizona Department of Public Safety. (The cache of documents is included at the end of this article, as well as spreadsheets created by Motherboard breaking down each agency’s expenditure.)

As our investigation found, most of the agencies spent tens of thousands of dollars acquiring Cellebrite’s phone cracking and forensic UFEDs. Cellebrite sells several different versions of the UFED, which either comes as an actual device—the UFED Touch, Ultimate, or Pro—or a piece of software for a computer called UFED4PC.

In short, there are two main ways Cellebrite’s UFEDs extract data from devices: either in a logical form, or a physical form.

“Logical is what-you-see-is-what-you-get,” Rene Novoa, senior manager at forensics company DriveSavers Data Recovery, told Motherboard in a phone call, referring to whatever data is immediately available on the phone. This likely includes messages, photos, or the information in databases generated by apps. Physical extraction, meanwhile, allows the retrieval of hidden or deleted material.

Getting around many phone’s passcodes is easy pickings for the UFED too.

“That is sort of built into their product: We do have the ability to get past many passcodes,” Novoa continued, referring to his own use of Cellebrite products. Once an investigator has broken into the phone, they can export chat messages in a conversation format and create PDF reports.

How Cellebrite devices work

According to one memorandum from the Delaware State Police Criminal Intelligence and Homeland Security Section, the UFED can be used with little to no training.

But the vast majority of the agencies’ expenditure went on renewing annual licenses for Cellebrite products. If police forces want to be able to pull data from the latest phones, they have to keep paying subscription costs to the Cellebrite service. The Arizona Department of Public Safety spent around $110,000 over three years on these subscriptions alone. The Illinois State Police spent just over $45,000 on renewals, and the Iowa Department of Public Safety spent around $92,000.

Some funds were used to trade-in one Cellebrite model for another, and to a lesser degree, some forces paid for extra training in how to use the forensics gear.

Agencies also spent tens of thousands of dollars on other Cellebrite products,including Link Analysis, a piece of software that visualizes data pulled from phones into easy to understand graphs, allowing investigators to quickly map out relationships between multiple individuals’ contacts, or a device’s GPS location across time.

Some agencies did buy equipment from other mobile phone forensics providers. There’s BlackBag, which has a particularly good reputation for extracting data from Apple devices. Magnet Forensics was mentioned too, as well as Paraben.

But the dominating provider throughout the documents was clearly Cellebrite, a company that still maintains healthy relationships with phone manufacturers, allowing them early access to products in order to find exploits.

Purchase requisition

Why Cellebrite?

Motherboard spoke to a half-dozen current and former members of the mobile forensics community about why they thought Cellebrite, which has been explicitly mentioned in episodes of CSI:Cyber, is so successful in the United States. Aggressive marketing, the ease of use of the product, and the range of phones that the company covers all came up multiple times.

“They were always the flashy kid in class,” Jonathan Zdziarski, a forensic scientist, told Motherboard in a phone call.

“They made it portable. They made this thing where they can put it in the back of police cars,” Jon Rajewski, director and principal investigator at the Senator Patrick Leahy Center for Digital Investigation, who has worked with law enforcement, told Motherboard in a phone call. “They made it point-and-click.”

Arguably, Cellebrite’s subscription model has also locked some customers into a buying cycle, where they simply have to keep paying the company so they can carry on breaking into phones.

In talking about one contract, a memorandum obtained from the Delaware State Police reads that “no other types of goods or service will satisfy the requirements of the agency and no reasonable alternative sources exist.” And an email from the Iowa Department of Public Safety reads, “We have no choice but to purchase these forensic systems from Cellebrite USA, Inc. direct.” (Some forces did buy Cellebrite devices through resellers, however).

As for other agencies, according to public records Cellebrite’s US subsidiary has taken in over $2 million worth of purchase orders from the FBI since 2012. Other customers include the Office of the Inspector General, the Department of Homeland Security, and the Secret Service. Local police departments may have purchased Cellebrite devices as well.

State spending on Cellebrite products

One reason for this proliferation of mobile forensics gear across the US, and not just specifically Cellebrite, may be linked to the country’s Regional Computer Forensics Labs, or RCFLs. These FBI-funded centres for extracting data from phones train local police too. One former FBI Special Agent with forensics experience told Motherboard that once these trained officers returned to their force, they took understanding of forensics technology with them. The agent requested anonymity as he was not authorized to speak to the press.

“They would come in, they would do all the training, do their couple years, and then they would go back out into the field,” the agent said. Instead of having to rely on RCFLs, which may have a massive backlog of devices to examine, agencies could just purchase their own gear.

In one 2012 document from the Colorado State Patrol justifying the purchase of an UFED, Major M. Packard writes the force needs the device because “currently, investigators are reliant upon partners in the FBI, ICE and DEA for access to this equipment.”

State agency spending on Cellebrite

But, perhaps the most simple explanation is that the number of smartphones that need to be analysed has shot up significantly, especially within the last four years, according to the former FBI agent.

“I would say a 100-fold increase in the amount of smartphones that we were running into and needing to process,” he added.

Now, cybercrime units, child exploitation task forces, white collar crime centers, and ordinary highway patrol departments all use this technology, according to the documents obtained by Motherboard.

A Public Information Officer from the New Mexico State Police told Motherboard in an email that the force uses Cellebrite devices to investigate everything from traffic accidents to homicides. An email from the Iowa Division of Criminal Investigationreads “we have an ongoing need for these forensic systems and use them every day in our criminal investigations.”

Zdziarski, the forensic scientist, put it this way: “You’ve got cops and cruisers using it. The tools always trickle down.”

The cache of documents obtained by Motherboard can be found here.

A spreadsheet breaking down each agency’s expenditure can be found here.

Read more: http://motherboard.vice.com/en_ca/read/us-state-police-have-spent-millions-on-israeli-phone-cracking-tech-cellebrite