Cellebrite UFED

Cellebrite UFED
Cellebrite UFED device for extracting forensics information from mobile devices
Websitecellebrite.com/en/ufed-ultimate/

The UFED (Universal Forensics Extraction Device) is a product series of the Israeli company Cellebrite, which is used for the extraction and analysis of data from mobile devices by law enforcement agencies.[1]

History

In 2019, Cellebrite announced a new version of the UFED, called the UFED Premium. The company claimed that it can unlock iOS devices including those running iOS 12.3 and Android phones such as the Galaxy S9.[2] Cellebrite does not allow the resale of their products. The original list price of the product is around US$6000, but they have been sold on eBay for around US$100. Some devices that were resold still contained data about criminal investigations.[3] In 2021, Moxie Marlinspike, creator of the encrypted messaging app Signal, released a blog post on the app's website detailing a number of vulnerabilities in Cellebrite's UFED and Physical Analyzer software that allowed for arbitrary code execution on Windows computers running the software. One exploit he detailed involved the UFED scanning a specially formatted file which could then be used to execute arbitrary code on the computer running the UFED. Marlinspike wrote that the code could then "[modify] not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way".[4] Marlinspike also found that Cellebrite software was bundled with out-of-date FFmpeg DLL files from 2012, which lacked over 100 subsequent security updates. Windows Installer packages, extracted from the Windows installer for iTunes and signed by Apple, were also found, which he said raised legal concerns.[5] Cellebrite issued a statement in response, saying the company "is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available."[6] The report by Signal followed an announcement by Cellebrite in 2020 that it had developed technology to crack encrypted messages in the Signal app, a claim the company later retracted and downplayed.[7][8]

The announcement by Marlinspike raised questions about the integrity of data extracted by the software,[9][10] and prompted Cellebrite to patch some of the vulnerabilities found by Signal and to remove full support for analyzing iPhones.[11][12]

Products

Cellebrite sells various products in the UFED series:[13]

  • UFED Physical Analyzer
  • UFED Logical Analyzer
  • UFED Phone Detective
  • UFED Cloud Analyzer

Features

On the UFED Touch, it is possible to select extraction of data and choose from a wide list of vendors. After the data extraction is done, it is possible to analyze the data in the Physical Analyzer application.[14]

The Cellebrite UFED Physical Analyzer supports the following features:[14]

  • Extract device keys which can be used to decrypt raw disk images, as well as keychain items.
  • Revealing device passwords, although this is not available for all locked devices
  • Passcode recovery attacks
  • Analysis and decoding of application data
  • Generating reports in various formats such as PDF and HTML
  • Dump the raw filesystem for analyzing it in other applications

See also

References

  1. ^ Khalili, Joel (2021-07-31). "Cellebrite: The mysterious phone-cracking company that insists it has nothing to hide". TechRadar. Archived from the original on 2021-07-31. Retrieved 2021-09-07.
  2. ^ "Cellebrite Now Says It Can Unlock Any iPhone for Cops". Wired. ISSN 1059-1028. Retrieved 2021-09-07.
  3. ^ Swearingen, Jake (2019-02-28). "Cops' Favorite Phone Hacking Tool Is Being Sold on eBay". Intelligencer. Archived from the original on 2019-03-01. Retrieved 2021-09-07.
  4. ^ Marlinspike, Moxie (April 21, 2021). "Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective". Signal Blog. Archived from the original on 2021-04-21. Retrieved 2021-04-22.
  5. ^ Goodin, Dan (2021-04-21). "In epic hack, Signal developer turns the tables on forensics firm Cellebrite". Ars Technica. Archived from the original on 2021-04-21. Retrieved 2021-04-22.
  6. ^ Kan, Michael (April 21, 2021). "iPhone Hacking Device From Cellebrite Is Rife With Exploitable Flaws, Says Signal". PCMag. Archived from the original on 2021-04-21. Retrieved 2021-04-22.
  7. ^ "Encrypted chat app Signal alleges flaws in Cellebrite equipment". Reuters. 2021-04-21. Retrieved 2021-04-22.
  8. ^ "Signal slams Cellebrite security company over alleged security holes". BBC News. 2021-04-22. Retrieved 2021-04-23.
  9. ^ Ropek, Lucas (April 27, 2021). "Signal's Cellebrite Hack Is Already Causing Grief for the Law". Gizmodo. Archived from the original on April 28, 2021. Retrieved April 28, 2021.
  10. ^ Yaron, Oded; Benjakob, Omer (April 25, 2021). "'Stop Using Cellebrite': Israeli, U.K. Police Urged to Stop Using Phone-hacking Tech". Haaretz. Archived from the original on April 28, 2021. Retrieved April 28, 2021.
  11. ^ Lovejoy, Ben (April 27, 2021). "Cellebrite Physical Analyzer no longer fully available for iPhones following Signal blog post". 9to5mac. Archived from the original on April 28, 2021. Retrieved April 28, 2021.
  12. ^ Franceschi-Bicchierai, Lorenzo; Cox, Joseph (April 27, 2021). "Cellebrite Pushes Update After Signal Owner Hacks Device". Motherboard. Archived from the original on April 28, 2021. Retrieved April 28, 2021.
  13. ^ Latifi, Shahram, ed. (2018). Information Technology -- New Generations: 15th International Conference on Information Technology. Cham, Switzerland: Springer. p. 82. ISBN 978-3-319-77028-4. OCLC 1031400154.
  14. ^ a b Bommisetty, Satish (2014). Practical mobile forensics: dive into mobile forensics on iOS, Android, Windows, and BlackBerry devices with this action-packed, practical guide. Rohit Tamma, Heather Mahalik. Birmingham, UK: Packt Pub. ISBN 978-1-78328-832-8. OCLC 888036062.