While most of Cellebrite’s UFED devices that are for resale are not new-gen, such practice demonstrates the vulnerabilities, insofar as repressive governments access the product and licensing upgrades through third parties for a few dollars, found an investigation by Itempnews. There are no limits for Venezuela, Cuba, or China to also buy this technology.
Through private resellers in e-commerce stores in the United States and Europe, anyone at the service of authoritarian governments can now purchase devices from the Israeli company Cellebrite to hack and extract from cell phones and tablets such valuable files as call logs, contacts, SMS messages, and a large amount of other personal data, even if they have been deleted.
In online stores such as eBay and a dozen other specialized websites reviewed by the Itempnews Project, devices from previous versions of Cellebrite for extraction are being offered on the Internet without major setbacks.
While most of Cellebrite’s devices that are for resale are not new-gen, such practice demonstrates the vulnerabilities, insofar as repressive governments access the product and licensing upgrades through third parties for a few dollars.
This technology requires physical access to the phone. It is not a tool to remotely hack into someone’s phone without their approval. However, in some cases, it has been used to extract the contents of devices seized during illegal examinations of journalists and human rights advocates.
The Universal Forensic Extraction Device (UFED) is the crown jewel of Cellebrite, a digital forensic intelligence company known for its phone-hacking technology.The business has amassed millions of US dollars in public and private contracts in more than a hundred countries, including the United States, by providing hardware and software for use by law enforcement agencies in criminal investigations.
However, this technology is perceived as dual-use by some governments and regulators that have found how several authoritarian regimes and governments with fragile institutions have used it to investigate their adversaries.
A Poland retailer, for instance, offers the latest generation of the UFED data-mining device, albeit, at a higher cost than the original value, which can range from $15,000 to $20,000 a unit, the Itempnews Project found.
DetectiveStore.com, which shows itself online as a supplier of forensic and security equipment, has UFED Touch II Ultimate, the newest version of these devices, for sale at $14,000.
A Cellebrite’s spokesperson told the Itempnews Project that Detective Store.com is not registered as an authorized seller. Therefore, the site, six years online according to a domain checker, might be in the business of scamming potential buyers or is a reseller willing to provide this technology to any customer, no matter what they do.
“We bought UFED from the authorized distributor in Poland in Central Europe. We have already sold about 10 different versions. We are a legitimate company with a few warehouses in Europe. Our main warehouse is in Poland,” replied the sales representative of DetectiveStore.com when questioned by Itempnews about the response given by the Cellebrite company regarding them.
Cellebrite’s license agreements stipulate that “under no circumstances may a customer resell, redistribute, transfer or sublicense our technology to a third party without the express written permission” of the company.
“Two years ago, I bought UFED to extract data from my phones and I have never received a single email from Cellebrite asking me to return my equipment,” said an eBay seller who is offering his old device.
But Cellebrite, which was acquired by Japan’s Sun Corporation in 2006 and went public on Wall Street on August 31, 2021, does not appear to be complying with its own sales standards and controls, at least in relation to private sector customers, as a range of its best-known devices, such as UFED, are under resale on the Internet and capable of trading.
The Itempnews Project took a look at a score of forensic forums in Latin America, Europe and the United States, reviewed e-commerce stores in several countries, and interviewed government officials, retired law enforcement officers, cyber experts, human rights activists, and forensic experts to determine the extent to which the informal resale of sensitive Cellebrite technology may be getting into the hands of repressive regimes at the click of a button.
The power of http://
Right now, anyone at the service of an authoritarian government such as the Chinese, Venezuelan or Belarusian government will take two minutes to buy through eBay a second-hand UFED Touch II device, for ready access to dozens of models of phones with Google’s Android and Apple’s iOS operating systems.
A reseller who was offering the UFED Touch II on eBay recently said that the device’s license had expired on November 18, 2020, “but it can be used without a license by simply pressing the ‘skip install’ button when the software starts up and the device will continue to be used normally.”
According to another reseller, the UFED Touch II device offered by them can access phones running Apple’s iOS 12.3 system and Android versions 7 and 8, “as the machine has a legacy mode, which means it can do newer updates for iOS and Android.”
The cost of several UFED Touch II devices on eBay hovers around $1,700, “a price lower than the average $10,000 someone has to pay for a new UFED Touch with an annual license fee of $3,000 to $4,000,” said Kristian Klaus, a Polish forensic specialist who has used Cellebrite products in investigations.
Cellebrite’s tools can extract and interpret data from at least 181 apps on the Android operating system and at least 148 apps on Apple iPhones, according to a report by Upturn, a Washington nonprofit organization that investigates the use of technology by the police.
Google apps like Google Maps, Gmail, and Google Photos, dating apps like Tinder, Grindr and OkCupid, Nike+ Run Club, social networks like Facebook, Instagram, Twitter, and Snapchat, web browsers like Chrome and Firefox, and even encrypted messaging apps like Signal and Telegram, can be mined with Cellebrite hardware, the report says.
Since February 2019, when Israeli activists and lawyers such as Eitay Mack, first reported the resale of Cellebrite equipment on eBay and other e-commerce websites, three years have passed and the situation remains, according to the findings of the Itemp Project.
An eBay spokesperson did not respond to multiple requests for information regarding these dual-use technology sales.
While Israeli company NSO Group’s Pegasus spyware can remotely access and control a cell phone and the content it stores – including encrypted data – law enforcement is using Cellebrite’s forensic products to extract the contents of seized devices when it is impossible to find passwords and gain entry.
Dozens of U.S. law enforcement agencies, in addition to the Department of Homeland Security, have been Cellebrite’s customers for quite a few years with the UFED device as the first product to order from the purchase catalog, the Upturn report revealed.
In the last year, Israeli technology companies have been under pressure after a July 2021 media pool disclosed that spyware, developed by NSO Group, was used to hack at least 50,000 phone numbers of human rights activists, public officials, international leaders, and journalists around the world.
The Biden administration in November 2021 added NSO Group to the “blacklist of entities” that prohibits the company from acquiring U.S. technologies after determining that its wiretapping tools had been used in “malicious cyber activities.”
As regards Cellebrite, the issue has been no less controversial, after it became known that products such as UFED were sold and their software updated for repressive governments such as Russia, Venezuela, Saudi Arabia, Belarus and China.
Such disclosure forced Cellebrite executives in Petaj Tikva, the city in central Israel where the company is headquartered, to restrict and discontinue the sale of its devices to governments that are repressive, or subject to international sanctions, or on the FATF blacklist.
At the service of Venezuela
When, in October 2021, the Venezuelan Military Counterintelligence Directorate (DGCIM) broadcast on a state television program the use of UFED Touch II as one of its star technologies “for the fight against crime,” the message caused a stir among human rights activists in the Caribbean country.
The DGCIM has long been under international scrutiny due to constant allegations of its involvement in espionage and repression. Two United Nations (UN) reports issued in 2020 and 2021 informed on torture against detainees at the various sites of that agency.
Luis Carlos Díaz, a renowned Venezuelan journalist and human rights activist, highlighted that the findings of the two UN reports on the situation in Venezuela illustrated the systematic practice of the authorities to seize without warrant the cell phones and computers of citizens opposed to the regime, in many cases applying coercion to gain access to passwords.
“The UN report recounts how people who were victims of arbitrary detention and torture were demanded the passwords to their personal phones; police officers then accessed the devices and used WhatsApp conversations for blackmail,” Diaz recalled.
The way in which the authoritarian regime of Nicolás Maduro has used state agencies and security forces to repress and torture did not give credence to the Venezuelan government’s flaunting of a UFED Touch II. Or at least publicly.
In November 2019, Maduro announced that the Government would pay US$55,000 for the purchase of UFED Touch II devices to be delivered to the scientific police.
After the announcement, it was not disclosed whether the contract with Cellebrite was ultimately executed.
Aprobé recursos por la cantidad de € 12 millones 590 mil 890, o su equivalente en Petro, para el fortalecimiento del CICPC y de todo el Sistema Nacional de Policía. Un esfuerzo que garantiza mayor eficiencia para brindar seguridad y Paz a toda Venezuela. pic.twitter.com/mTUbx6WjHr
— Nicolás Maduro (@NicolasMaduro) November 15, 2019
Nonetheless, Venezuelan authorities had been on Cellebrite’s client list since at least 2013, when Hugo Chavez was still the nation’s president, according to a report in the Israeli daily Haaretz in September 2020.
Even after Chavez’s death in 2013, and Maduro’s rise to power, the Israeli company continued to provide its technology to security agencies, despite the fact that Venezuela and Israel have not maintained diplomatic relations since 2008, the Itemp Project found after reviewing court documents and interviewing Venezuelan law enforcement officials.
“Cellebrite has not worked with defense or law enforcement clients in Venezuela for several years, and will not change its policy regarding the country as long as the current regime remains in power,” a company spokesperson said in an emailed statement.
Venezuela’s Public Prosecutor’s Office was the first to use UFED devices, and years later the Venezuelan Military Counterintelligence Directorate (DGCIM) did so to carry out its own investigations, said a former Public Prosecutor’s Office official on condition of anonymity because he was not authorized to detail state contracts.
Although the Israeli technology company “has mechanisms in most of our hardware solutions to ensure that they do not function beyond their expiration dates if they are not legally renewed,” in the words of the spokesperson, the Venezuelan government’s reports raised doubts.
A senior Israeli government official told the Itempnews Project that the Cellebrite’s sales occurred “many years ago and did not fall into the category of sensitive security technology that could be restricted for exports to Venezuela.”
“At this time, Israel would not authorize the export to Venezuela of technologies (such as those marketed by Cellebrite). We know what is going on in that country, where there is no independence of powers,” warned the senior official, who spoke on condition of anonymity due to the sensitivity of the matter.
This is the first time that a senior Israeli government official comments specifically on the case of UFED devices in Venezuela.
The Defense Export Control Agency (DECA), an arm of Israel’s Defense Ministry, and the Ministry of Economy and Industry, in charge of licensing the export of technologies produced in the Jewish State, did not respond to requests for information.
Amid the storm raging at NSO Group – the maker of the Pegasus spyware – Israel tightened in December 2021 its control over its companies’ cyber exports through DECA. In addition, it has plans to publish an updated version of the end-user declaration that countries must sign as a condition for obtaining sensitive technology licenses.
Although Israel is not a party to many of the pacts, groups, and agreements related to exports of arms and dual-use technologies that need to be controlled, it implements controls based on these systems and requires authorization to export all items on its control lists.
The trade of forensic technology for the fight against global crime and terrorism has been a long-standing business in the United States and Europe, where the world’s largest exporters are based.
The underlying risk is the eventual use of technology for some other purposes. Time has shown that this has been the case.
Obsolete versus propaganda
While the Venezuelan government claims to have UFED Touch II devices and other cutting-edge dual-use technologies, for some critics this is more a way to intimidate than the reality of a country under economic sanctions, where large international companies are wary of being associated with the Maduro regime.
The point at issue has been Cellebrite’s lack of transparency in dealing with the Venezuelan affair, by giving ambiguous answers that fuel the Venezuelan dictatorship’s power discourse.
“In the extremely rare event that our technology is used in a manner that is not in accordance with international law or does not comply with Cellebrite’s terms of use, we will terminate the license immediately and will not provide software updates,” a company spokesperson argued.
Yossi Carmil, the CEO of Cellebrite, said he had “nothing to add beyond the information we have already provided” about the Venezuela case, in a statement emailed to Itempnews.
“The fact that, if Cellebrite claims that it stopped business in certain countries, we have no evidence to suggest that the company also requested for the devices to be returned to them. This means that, even if they stop updates and invalidate the warranty (which their model contract seems to suggest), UFED could still be used on older devices,” warned Natalia Krapiva, technology legal counsel at Access Now, a non-profit organization working for human rights and the free and open Internet.
“Revoking the license and warranty is not enough. In the case of Venezuela, we would argue that Cellebrite should not have sold UFED in the first place, given the Venezuelan government’s horrendous human rights record,” Krapiva reasoned.
Even when Maduro announced the purchase of new UFED equipment, in 2019, his government was already under scrutiny for police repression and alleged extrajudicial killings in 2017, amidst nationwide protests.
The former commissioner of the Venezuelan Scientific Police, Víctor Ugas, recalls that in 2011 the Venezuelan government received several pieces of Israeli technology equipment through donations from the European Union at a critical moment of insecurity in the country.
“On one occasion, donations arrived from Israel, briefcases that were to work at the level of collaboration for the interception of calls in matters of extortion and kidnapping due to the high volume of this kind of crimes in Venezuela at that time,” recalled Ugas, former national head of Criminalistics of the Scientific, Criminal and Forensic Investigation Agency (CICPC) between 2011 and 2012.
Ugas does not know if the technology received by the security forces was Cellebrite. However, he clarified that, concerning telephone eavesdropping, the Bolivarian Intelligence Service (SEBIN) and the DGCIM are responsible for these investigations.
Both agencies were accused by the UN in its report of serving the government to prop up its apparatus of control and repression.
Reports say something
As an expert witness, Raymond Orta, a Venezuelan lawyer and specialist in technology and computer forensics, saw Cellebrite equipment in the hands of Venezuelan law enforcement agents on several occasions, evidencing its long-standing use.
“In 2017 such devices were already in Venezuela, but officials told me that the licenses were close to expire. I don’t know if there was a renewal,” he recalled.
For a veteran of forensic analysis like Orta, “the essential thing in this area is the constant update. I don’t really know if Venezuela has state-of-the-art technology at the moment, but this equipment, in general, if it is not updated, gets out of date very quickly due to changes in operating systems and applications.”
Most of the non-governmental organizations that offer public defense and legal accompaniment in Venezuela have found that the Government has tools to extract information from cell phones and computers when they do not have the capacity to access it through passwords.
“We have seen court records of some cases we have defended where prosecutors claim that they managed to extract information from cell phones to be presented in court cases, but they do not specify what kind of tools they use,” said a representative of a Venezuelan organization dedicated to the legal defense who asked not to reveal his identity for fear of reprisals from the authorities.
The Itempnews Project was unable to independently review the aforementioned court records.
When Cellebrite announced its impending IPO last summer, human rights activists pushed for the Securities and Exchange Commission (SEC) to reject the company’s proposal until it addressed the lack of safeguards that led to the sale and use of its technology by repressive regimes.
In a final effort to improve its image, Cellebrite established an Ethics Office and Integrity Committee that “seeks to advise the board of directors on key issues such as responsible business practices, laws or regulations applicable to the sale of its technologies.”
But in many cases these ad hoc committees work blindly, not knowing what kind of products are being developed by technicians and scientists, protected by corporate secrecy.
Cellebrite has not fared badly of late. The company’s 2021 revenues totaled $246 million, up 26% from 2021, according to the latest financial results, driven primarily by subscriptions to developed technologies (such as UFED, though not specified) and public and private contracts.
The White House and the Congress are aware of an increasingly alarming trend in authoritarian governments to resort to software that allows surveillance of the population and intimidation of those who oppose the current leader, regardless of the real purpose for which the security technologies were created.
Krapiva, the Access Now attorney, warns that, in the case of UFED devices, “we are talking about a powerful forensic tool that can crack passwords, encryption, and other security measures, so the sale and use of such devices should be monitored by both the company and external regulators.”
Story by: Frank Lopez Ballesteros
Edition: Conchita Delgado
Why we wrote this story?
Because while most Cellebrite devices for resale are not a new generation, such a practice exposes vulnerabilities, as repressive governments access the product and license upgrades through third parties for a few dollars. So there are no limits for Venezuela, Cuba, or China to also buy this technology and harass journalists, opponents, and anyone they consider "inconvenient."
