1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Cellebrite: The mysterious phone-hacking company that insists it

    From TechnologyDaily@1337:1/100 to All on Sat Jul 31 20:15:03 2021
    Cellebrite: The mysterious phone-hacking company that insists it has nothing to hide

    Date:
    Sat, 31 Jul 2021 19:10:19 +0000

    Description:
    Cellebrite technology is invaluable to law enforcement agencies worldwide,
    but attracts plenty of criticism from privacy activists.

    FULL STORY ======================================================================

    Cellebrite refers to itself as a digital intelligence company, but this
    opaque description doesnt paint a particularly clear picture.

    In short, digital intelligence is code for device hacking; Cellebrite helps government and law enforcement agencies break into the smartphones and
    laptops of people under investigation - provided the client has legal grounds for doing so.

    The Israeli firm has attracted plenty of criticism in recent years from data privacy activists who say its practices are ethically unsound. Others have attacked the company for failing to disclose the active vulnerabilities it exploits to break into devices. Here's our list of the best secure
    smartphones on the market Check out our list of the best privacy apps around We've built a list of the best secure drives out there

    However, Cellebrite is steadfast in its stance that its technology does far more good than it could possibly do harm. It also points to inconsistencies
    in the arguments of its detractors; there is little criticism of the
    execution of physical search warrants, says CMO Mark Gambill, so why should different rules apply in the digital sphere?

    We get lumped with surveillance companies, but thats not what we do. And you cannot use our technology without a legal warrant, so if used correctly there is no breach of privacy, he told TechRadar Pro .

    There are countless examples of our technology being used for social good; to find missing children, break up drug trafficking rings and more. But unfortunately, were in an environment where sensationalism sells.

    However, whether intentionally or otherwise, Cellebrite has courted an air of mystery that it now seeks to dispel ahead of a Nasdaq listing that is set to value the company at $2.4 billion. According to Gambill, Cellebrite has nothing to hide. Legislating for abuse

    Cellebrite says it serves roughly 6,700 customers worldwide, the vast
    majority (circa 5,000) of which hail from the public sector. In this context, there are three main facets to the companys services: data collection, analysis and audit.

    As Gambill explains, criminals have become extremely savvy about using technology, and predictably, are often unwilling to volunteer their unlocked devices. With legal approval, Cellebrites Universal Forensic Extraction
    Device (UFED) can be used to extract data stored on smartphones, computers, smartwatches and more, sometimes by exploiting active vulnerabilities in the operating systems. Cellebrite UFED Touch (Image credit: Cellebrite)

    At a software level, Cellebrites Physical Analyzer tool then helps clients
    dig through the terabytes of data often stored on consumer devices today. The company combines keyword-based filtration with artificial intelligence (AI)
    to surface specific information.

    Finally, in order to preserve evidentiary integrity, Cellebrites hardware is supported by a management suite that keeps a strict activity log and audit trail.

    Its critical to have transparency about who is handling evidence, because there are concerns about both privacy and tampering, said Gambill. Our solution is able to demonstrate precisely who has accessed what data and
    when.

    Even more than most companies, Cellebrite has a responsibility to pick and choose which clients it works with. Indeed, Gambill admits there have been instances in which its technologies have been misused, although he stressed these are extremely rare.

    To shield against this eventuality, Cellebrite has designed its hardware such that it cannot be used by anyone other than active licensees. Updates rolled out every couple of weeks also mean that out-of-date Cellebrite kit is effectively useless, unless you want to make a flower pot out of it, Gambill quipped.

    Asked about the potential for a current licensee to misuse the hardware
    behind closed doors, he told us it would be very difficult without Cellebrite finding out. Its about having the ability to monitor whats occurring and, in rare situations where someone goes rogue, to take decisive steps. Cellebrite cable kit and ruggedized case (Image credit: Cellebrite)

    Gambill also notes that Cellebrite has pulled its products from a number of countries, including China and Russia, that it believes may use its
    technology in an unethical manner or that rank poorly in human rights
    indices.

    However, multiple privacy advocates, such as non-profit Access Now, claim the company has not gone far enough to legislate against the potential human rights abuses its arsenal is capable of facilitating. Further, they say Cellebrite has been too slow to cut ties with unsavory clients and took
    action only as a result of public pressure.

    In a recent open letter , Access Now and its peers argue that Cellebrite has long been aware of the potential for abuse, yet knowingly continued to sell its products into repressive regimes, in the likes of Saudi Arabia and
    Myanmar (something ex-Cellebrite employees have corroborated ). Until it has taken sufficient measures to comply with human rights, the firm should not be allowed to go public, the activists say. Grey area

    Late last year, Cellebrite made an enemy of messaging company Signal. The
    firm had recently announced support for Signal file types and also released a report suggesting it had cracked the platforms famous encryption, but this
    was later debunked and referred to as embarrassing .

    A few months on, Signal CEO Moxie Marlinspike released a report of his own , in which he demonstrated vulnerabilities in Cellebrite hardware. In the same post, he claimed the company exists within the grey - where enterprise branding joins together with the larcenous to be called digital intelligence.

    He also joked he was willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in future.

    Asked about the ethics around holding onto vulnerabilities that could potentially be abused in the wild by malicious third parties, Gambill gave us an indirect response. He described the companys relationship with device vendors, such as Apple, as one of coopetition, an amalgam of cooperation and competition.

    Apple is a key partner of ours in many ways. Certainly, we all respect the right of people to ensure their phones have the right types of security and encryption from the standpoint of privacy, he said.

    At the same time, we have an obligation to provide technology and tools that aid in investigations. The means by which we do that is part of our secret sauce. (Image credit: Shutterstock / Valery Brozhinsky)

    Gambill explained he does not recognize a contradiction between the companys attitude towards privacy and its approach to vulnerability disclosure, partly because it has legal grounds for its behavior and partly because the ends justify the means.

    What we do is provide technology that you can only use with a legal warrant and to me that does not suggest operating in any grey areas - its pretty cut-and-dry, he told us. A lot of it is about educating the marketplace further about what exactly our technology does and the positive outcomes that come about as a result.

    And yet, ahead of its Nasdaq listing, Cellebrite is working to establish a standalone committee designed to ensure it always operates within the law and in the most ethical manner possible. This panel will be made up of people
    with no previous association with the company, says Gambill, but the full purview of the new board is still being ironed out.

    Depending on perspective, the move could be celebrated as a laudable effort
    to nip issues in the bud before they occur, or instead regarded as evidence the company is aware there are immediate ethical problems to be solved.

    Ultimately, whether something is legal and ethical are two separate
    questions, one objective and the other subjective. Although Cellebrite may well operate within the bounds of the law, whether it operates within the bounds of morality will continue to provide fuel for debate.

    Ironically, as noted by Stanford researcher Riana Pfefferkorn, the companys ability to break into devices might actually have a net positive effect on privacy. She says the firm acts as a kind of safety valve, relieving pressure on smartphone manufacturers to create backdoors into their devices, which
    many would consider an unmitigated disaster.

    Whether this uneasy equilibrium stands the test of time, though, will likely depend on Cellebrite finding a way to make itself more palatable to an increasingly vocal and privacy-conscious technology community. We've built a list of the best VPN services around



    ======================================================================
    Link to news story: https://www.techradar.com/news/cellebrite-the-mysterious-phone-hacking-company -that-insists-it-has-nothing-to-hide/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)