Hacking a smartphone just got a whole lot cheaper.
A tool once favored by law enforcement for pulling data off locked phones is now available to the general public. We can’t imagine the Israel-based company behind the Cellebrite hacking device is all that pleased with its newly expanded customer base, but here we are. There’s not much it can do about it at the moment, as the sales are taking place on eBay — where a quick search shows numerous used models listed for prices as low as $50.
According to Forbes, which first reported the news, a brand new Cellebrite device will set law enforcement back around $6,000. Things are quite a bit cheaper on the online auction site, where one seller has what appear to be 10 used models for sale ranging in price between $50 to $70.
That’s quite the discount.
Image: screenshot / ebay
Notably, Cellebrite appears to be extremely displeased with the resale of its phone-cracking tech. Matthew Hickey, a security researcher and co-founder of Hacker House, purchased a Cellebrite UFED-36 mode off eBay, and proceeded to tweet an analysis and breakdown of the device.
Cellebrite UFED-36 model innards, FPGA, Intel Xscale processor, WinCE 5.0. trying to dump the flash ROM without removing the BGA chips (I’ll destroy the board in the process). There is a debugger header with a mix of 5V and 3V signal logic. I want to install Linux on it. pic.twitter.com/6QpE88nvZA
— Hacker Fantastic (@hackerfantastic) February 27, 2019
Shortly thereafter, Hickey tweeted what looks to be a statement from Cellebrite admonishing resellers.
“As a part of Cellebrite’s inventory control process we need to ensure that our products are only used by the original owner,” reads the statement. “As a reminder, selling or distributing any of your Cellebrite equipment to other organizations is not permitted without written approval from Cellebrite.”
We reached out to the company to confirm that the message is in fact authentic, but did not receive a response as of press time. If it is legit, however, the statement makes clear that the stakes are higher than just Cellebrite’s profit margins.
“Since it may be possible for these devices (including old devices such as the discontinued Touch) to access private information,” the statement warns, “we ask that you treat any Cellebrite equipment within your organization with the highest degree of security.”
Image: screenshot / ebay
In other words, the old models may still be able to gain access to smartphones. And that’s not all, Hickey told Forbes that he was able to view some usage history — like when the Cellebrite was used, what types of phones were searched, and what kind of data was pulled off those phones — on the device he purchased.
Essentially, these smartphone hacking tools — possibly used by law enforcement agencies — appear to not have been wiped before resale.
And now all that data, and the means to get more, can belong to a hacker for the low low price of $100 or less.