Now you can buy police-grade iPhone hacking tools on eBay

Proof positive that privacy and security are essential in the digital age

Apple, iOS, iPhone, security, Cellebrite, mobile, Android
Imaginima / Getty Images

If you want to hack your way into an old iPhone, you can get hold of a law enforcement-grade system to do just that for a bargain price on eBay.

I think that’s a crime

I can’t stress this enough.

The very existence of tools like these is a threat to every smartphone user. That's because no matter how many times people argue that these solutions will be used only by law enforcement, these things always proliferate.

The fact that Cellebrite systems, which law enforcement was until recently spending heavily on acquiring, are now available on the open market for as little as $100 is a perfect illustration of this.

That’s even before you begin to question who the good guys are when governments become corrupted or law enforcement tools are backwards-researched or stolen.

The Cellebrite UFED (Universal Forensic Extraction Device) was designed to hack into encrypted iPhones through the Lightning port, engaging in a brute-force attack to guess the passcode. It also hacks into Android devices.

Are you protected?

Apple has taken steps to protect against such hacks in iOS 11 with the introduction of USB Restricted Mode, which was enhanced in iOS 12. This protection puts a big limit on the time during which a device like Cellebrite can hack into your devices.

This is fine if you happen to be running iOS 11 or iOS 12, but it still leaves millions of devices (running older Apple operating systems) open to abuse – and those devices still contain people’s personal data and other keys to their digital kingdom.

Instructively, most Android users remain vulnerable.

(In general, one of the best defenses iPhone users can put in place against such attacks is to make use of complex alphanumeric passcodes.)

Failings, failure, made of fail

Cellebrite has allegedly written to those who have purchased its devices to tell them not to sell them on the open market and to make sure these systems are properly wiped.

Thomas Brewster explains that failure to wipe these systems before selling them means case data and police hacking tools may also have leaked.

One hacker claims it may even be possible to extract the contacts and other personal data belonging to smartphones that had previously been unlocked using these tools. Another claims to have been able to extract Wi-Fi passwords, license controls, and more.

None of this is acceptable.

People whose devices have been investigated will sometimes be found to be innocent of any crime, and even if they are not, it seems logical to think that law enforcement as a data handler is responsible for securing that information and keeping it safe.

That these systems have hit the market without being properly secured could easily be seen as a dereliction of duty. This need to provide people with a sense of trust in the way their data is treated is one of the digital rights Microsoft, Apple, and others believe we should have in place.

Who watches the Watchmen?

It’s also important to consider that not all law enforcement authorities are equal.

While you can reasonably hope that your own agencies will act within a certain ethical framework, law enforcement elsewhere may not be so tightly controlled.

At what point will a rogue nation, agency, or agent exploit their access to these systems for selfish ends? At what consequence? How would anyone know where these systems have been sold?

The bottom line? 

No matter how well-intentioned, taking steps to make mobile devices less secure for some people will inevitably lead to them becoming less secure for all the people.

As the entire planet becomes increasingly digitized, this also means entire ecosystems, industries, and essential infrastructure components are rendered more insecure.

After all, what happens if hackers use one of these systems acquired on eBay to break into a stolen work-related smartphone that belongs to someone who happens to have access to the IT systems at an energy company? What information would they be able to extract using tools like these, and how could that hack threaten the national interest?

If nothing else, this highlights the need for effective mobile device management systems, the capacity to remote wipe devices, and the need to ensure all users fully understand how to securely use their devices.

Systems like these should never have been made available on the open market. The fact that they are utterly reinforces tech industry arguments that user privacy must be sacrosanct.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon