Pages

3 November 2016

When the FBI Has a Phone It Can’t Crack, It Calls These Israeli Hackers

Kim Zetter
November 1, 2016

When the FBI Has a Phone It Can’t Crack, It Calls These Israeli Hackers

Earlier this year, at the height of a very public battle between the FBI and Apple over whether the computer maker would help decrypt a mass murderer’s locked iPhone, it appeared that a little-known, 17-year-old Israeli firm named Cellebrite Mobile Synchronization might finally get its moment in the spotlight.

After weeks of insisting that only Apple could help the feds unlock the phone of San Bernardino killer Syed Rizwan Farook, the Justice Department suddenly revealed that a third party had provided a way to get into the device. Speculation swirled around the identity of that party until an Israeli newspaper reported it was Cellebrite. 

It turns out the company was not the third party that helped the FBI. A Cellebrite representative said as much during a panel discussion at a high-tech crimes conference in Minnesota this past April, according to a conference attendee who spoke with The Intercept. And sources who spoke with theWashington Post earlier this year also ruled out Cellebrite’s involvement, though Yossi Carmil, one of Cellebrite’s CEOs, declined to comment on the matter when asked by The Intercept.

But the attention around the false report obscured a bigger, more interesting truth: Cellebrite’s researchers have become, over the last decade, the FBI’s go-to hackers for mobile forensics. Many other federal agencies also rely on the company’s expertise to get into mobile devices. Cellebrite has contracts with the FBI going back to 2009, according to federal procurement records, but also with the Drug Enforcement Administration, the Secret Service, and DHS’s Customs and Border Protection. U.S. state and local law enforcement agencies use Cellebrite’s researchers and tools as well, as does the U.S. military, to extract data from phones seized from suspected terrorists and others in battle zones.

The company is poised to seize a prominent and somewhat ominous place in the public imagination; just as Apple has come to be seen as a warrior for digital protection and privacy against overreaching government surveillance, Cellebrite is emerging as its law-and-order counterpart, endeavoring to build tools to break through the barriers Apple and other phone makers erect to protect data.


“Vendors … are implementing more and more security features into their product, and that’s definitely challenging for us,” says Shahar Tal, director of research at Cellebrite. “But we’ve solved these challenges before [and] we continue to solve these challenges today.”

In July, months after the unknown third party provided the FBI with a method for getting into the San Bernardino phone — an iPhone 5C running iOS 9 — Cellebrite announced that it had developed its own technique for bypassing the phone’s password/encryption lock. And the company is confident that it will be able to deal successfully with future security changes Apple may make to its phones in the wake of the San Bernardino case.

“If it’s going to be done, it’s going to be done in this building,” Carmil told The Intercept during a visit to the company’s Israeli headquarters earlier this year.

Cellebrite’s ascent comes at a time when mobile forensics has never been more important to law enforcement and intelligence agencies. Data extracted from phones has eclipsed data extracted from desktop and laptop computers in recent years, since the former can yield not only detailed logs about a user’s activities, interests, and communications, but also, in many cases, map the user’s whereabouts over weeks and months to produce a pattern of life. 

The story of Cellebrite’s emergence as a forensic powerhouse is the story of how mobile forensics itself has evolved over the years — beginning first in the late ’90s with a simple tool for migrating user contacts from one cellphone to another, which morphed in 2007 to a solution for harvesting address book data from PDAs and feature phones, to the complex multistage operations needed today to bypass the sophisticated security mechanisms built in to smartphones.
Ahead of Competitors

Cellebrite isn’t the only forensic game in town. It has a number of rivals around the world, each with varying strengths and weaknesses. They include the Swedish firm MicroSystemation AB, also known as MSAB, whose XRY tool is used by the Department of Homeland Security, the U.S. military and others; the U.S. firms Susteen, Paraben, and BlackBag Technologies; Magnet Forensics, a Canadian firm; and Oxygen Forensics, a Russian firm whose customers include, according to its website, the IRS, U.S. Army, DOD, DHS, and the Justice Department.

But Robert Osgood, an FBI supervisory agent for more than 25 years until he retired from the bureau in 2011, says that Cellebrite and MSAB are the leaders.

“They’re the two 800-pound gorillas in the mobile forensic device world” when it comes to extracting data, says Osgood, who now directs a graduate program in computer forensics at George Mason University.
“I would be lying to say it is still close — because I know that Cellebrite works better for acquisition.”
—Heather Mahalik, advanced mobile forensics trainer, SANS Institute.

Although he says the FBI buys other forensic tools, they are primarily used in specific niches — for example, parsing and analyzing subsets of data, such as data associated with social networking apps, after it has already been extracted using a Cellebrite or MSAB tool.

Heather Mahalik, who trains about 400 federal and local law enforcement workers a year in advanced mobile forensics for the SANS Institute, says that even among these two giants, Cellebrite has been edging out its competitor over the last two years.

“There are uniqueness and little tricks in both of them that really help … but I would be lying to say it is still close [between them], because I know that Cellebrite works better for acquisition,” she told The Intercept. Mahalik says she surveys her students each year to see which tools they’re using on the job. Two years ago, Cellebrite and MSAB were almost neck and neck, but these days, she says her students mention only Cellebrite. A 2012 annual report from MSAB acknowledges that Cellebrite penetrated the U.S. market before it did, which helped it gain an advantage as a result.

Cellebrite’s forensic tools include the Universal Forensic Extraction Device (UFED), hardware bundled with proprietary software that acquires, decodes, and analyzes data from smartphones, tablets, and portable GPS devices; the UFED4PC, which is standalone software for use on a PC; and the UFED Pro, an add-on to the UFED that does something called physical extraction, which siphons data directly from a phone’s flash memory chip. This can include deleted SMS messages and call histories as well as data collected by the phone and apps that the user is unaware is being collected.

The company doesn’t help governments remotely hack into phones for real-time surveillance, as the NSO Group, another Israeli firm, reportedly does; Cellebrite focuses only on forensics — collecting data and artifacts already created and stored on phones. Physical access to the phone is required for their work.

Cellebrite’s edge lies in its ability to extract data from more mobile operating systems and chips than its competitors, often producing solutions faster than rivals. Each time a new version of a mobile phone or an update to an existing operating system is released, Cellebrite’s team of reverse engineers goes into assault mode to find zero-day vulnerabilities and other hidden pathways that will give the engineers access to data the phone makers have worked hard to block. In some cases, they’re already working on new phones before they’re released. That’s because some vendors — Cellebrite won’t say which ones, but Apple isn’t among them — ship a sample of their new phones to Cellebrite three months before they’re released, giving Cellebrite engineers a head start in cracking the devices. It’s a practice that dates back to the company’s original business, selling gear to cellular carriers that helped their customers migrate contacts from one phone to another. 

The company doesn’t put all of its forensic techniques into its automated tools, however. To prevent competitors from reverse-engineering its software to uncover and steal its unique methods and to prevent phone vendors from discovering the vulnerabilities used in its techniques and patching them, some exploits are only performed manually by its staff. Its new solution for extracting data from iPhone 5C’s running iOS 9 — the San Bernardino phone — can only be performed by a Cellebrite worker as part of the company’s Advanced Investigative Services division, also known as CAIS. This is a premium unlocking subscription service that costs $250,000 a year in the U.S., according to a DEA procurement record, and will also get customers help in bypassing encryption on the iPhone 4S and 5, the Samsung Galaxy S6 and Galaxy Note 5, and some Galaxy S7s, among other devices. Though Cellebrite will also unlock phones as a one-off service, for about $1,500 per phone.

Bypassing encryption, the most vexing problem law enforcement faces today in mobile forensics, is one of Cellebrite’s biggest selling points. The company says it has been able to “crack the code to the screen locks” on a number of phone models, allowing it to access data on the phones without a password.

“Encryption is a show stopper for most of the industry,” Tal told The Intercept. “Except for us.”
How It Began

Cellebrite employs about 520 people, most in Israel, including workers at a manufacturing facility in the southern part of the country that makes its UFED devices. The company is a subsidiary of the Japanese Sun Corporation, which took ownership of 80 percent of the firm in 2007. And although Sun doesn’t influence the company’s strategy or direction, Carmil says, its secretive corporate culture appears to have affected Cellebrite’s approach with the media. “We are not telling so much about ourselves. What we tell is what Sun has allowed us to publish,” Carmil told The Intercept.

Cellebrite’s headquarters in Israel occupies several floors of a mid-sized office tower in Petach Tikva, a small city east of Tel Aviv that was once a malarial swamp until Jewish pioneers drained it in the 19th century to make way for citrus groves. The groves have largely been replaced today with hi-tech business parks like the one Cellebrite shares with IBM and Intel.

Its modern office space was dim and quiet during an afternoon visit by The Intercept in June, except for the sound of Hebrew rock playing softly on a floor where researchers worked. Down a hallway leading to the research offices was a device lab resembling a large, highly organized shoe closet that contained more than 15,000 mobile handsets stored in carefully marked boxes. These are phones that Cellebrite has bought or received in advance from vendors over the years to analyze. 

About 200 new phones arrive to the lab monthly, each containing different versions of operating systems and configurations, since carriers like Verizon and AT&T like to customize the branded phones they offer customers by tweaking the operating system to disable and enable different features. There are also burner phones – pre-paid throwaway phones that criminals and terrorists often favor because they offer anonymity – and phones from China that pose a special challenge to extracting data because they often lack uniformity and standardization in their design.

Each phone that arrives to the lab gets a manual inspection to determine the software that’s running on it and any operating system changes the vendor has made since previous versions.



A screen outside the device lab in Cellebrite’s office shows the system for tracking devices that have been assigned to researchers.

Photo: Kim Zetter for The Intercept

Cellebrite has five forensic research teams: the team that reverse-engineers phones to find zero-day vulnerabilities and other means of extracting data; a team that focuses on translating binary data into a readable format; a cloud data team; and two teams who work on analytics, which involves mining data to create leads from different sources of data — for example, to cross-reference data extracted from a phone to determine all the locations a suspect has been in the past month. The analytics team is also working on being able to automatically identify activity in video extracted from mobile devices — an act of violence, for example.

The reverse-engineer team that Tal leads, which is responsible for finding ways into phones, has about two dozen people.

“I don’t know what the NSA has for mobile research, but in the forensics industry I’ve not been made aware of any sizable research team like we have,” says Tal, who joined the company late last year after leading the vulnerability research team at the Israeli security firm Checkpoint. 

All of this belongs to Cellebrite’s new life as a mobile forensics firm. But the company didn’t begin life in forensics.
“In the forensics industry, I’ve not been made aware of any sizable research team like we have.”
—Shahar Tal, director of research at Cellebrite.

Cellebrite launched in December 1999 with a tool that was only designed to transfer the contents of an address book from one phone to another. Back then, transferring contacts was a time-consuming task that was generally done manually. But Cellebrite developed the Universal Memory Exchange, a handheld device that resembled the clunky credit card readers airline stewards use to charge for in-flight beers, which could transfer data between any two phones, regardless of make and model. They later added capabilities for backing up, restoring, and synchronizing data as well.

They sold the device initially only to telecoms and phone stores — first in Israel and Europe, then in the U.S. By 2005 Cellebrite says the UME was in more than half of all Verizon and T-Mobile phone shops in the U.S, in addition to the phone departments of big-box chains like Best Buy and Wal-Mart, something The Intercept was unable to confirm. “Every place that offers cellular-handset selling, repair, and exchange activity, Cellebrite was there,” Carmil asserts. 

The UME became so integral to the mobile phone business that any time a vendor launched a new phone, it shipped an advance sample to Cellebrite to ensure that the UME would work with it.

“Because we got all of [the phones] from the mobile operators … no one could compete with our phone support offering for a long time,” says Carmil, who was vice president of Siemens’s commercial division in Israel before joining Cellebrite. “We came with 1,500 [phones] supported, where the competition … were struggling for 100 or 150.”

Cellebrite touts this advance look at phones as one reason for its competitive advantage in forensics. Though MSAB and Paraben, which don’t receive advance phones, naturally downplay early research like this, saying it can be counterproductive. “Many of the times the device firmware will change so much before the release that a lot of the deep research required for forensics must be redone [if done in advance of a device’s release],” Amber Schroader, CEO of Paraben, told The Intercept.

By 2006, Cellebrite was selling its UME devices to law enforcement and security forces in Israel and abroad. It was at this point that the company’s new customers developed a novel use for the UME that caught Cellebrite’s attention — they were using it to extract call logs and other data from phones seized in criminal investigations. The method worked well for generating investigative leads, but the extracted data wasn’t forensically sound to serve as evidence in court. So the customers, Cellebrite won’t say which ones, asked for a way to show courts that data hadn’t been altered after it was removed from a phone. Cellebrite only had 18 employees at the time, but Carmil and co-CEO Ron Serber immediately saw the potential in steering the company in a new direction.

“We realized that there is a market [for mobile forensics] which is already existing and established,” Carmil says.

The next year, they released their first forensic tool, which was basically an extension of the software they were already using to transfer, back up, and restore data, but with a hash function thrown in to certify the integrity of extracted data.

“That was the beauty of the whole story,” Carmil says. “We brought the same capabilities to a completely different core business.” 

A hash is a cryptographic representation of data. Run text or data through a mathematical algorithm and you get a value that represents the data. But alter the data or text, and you get a different hash when run through the same algorithm. By comparing the hash of data on a phone with the hash of data presented in court, prosecutors could show it hadn’t been altered. It can also verify that the output from two different forensic tools grabbed the same data — if hashes of the two sets of extracted data are the same.

Over time, as the number of mobile phones and data formats grew, Cellebrite added features for decoding varying formats and analyzing extracted data. 

The company wasn’t the first to enter the mobile forensics field. Micro Systemation beat them to it with a mobile forensics tool in 2003; Paraben came out with a forensic tool for PDAs in 2001, followed in 2004 by a tool for mobile phones. But Cellebrite’s solution could process data from CDMA and TDMA phones, unlike competitors. 

It was easy to extract data from mobile phones a decade ago, says Leeor Ben-Peretz, executive vice president for products and business development at Cellebrite. The devices had none of the sophisticated security protections they have today and there was a lot of public documentation that detailed programming interfaces, so researchers for the most part didn’t have to reverse-engineer operating systems and applications to understand how they worked.

All of that changed in January 2007 when Apple introduced the iPhone, a smartphone that blended music, email, text messaging, web browsing, camera, and desktop applications with an easy-to-use touchscreen interface. The following year, Apple added GPS to the phone.

It was a forensic bonanza for law enforcement, but Apple wasn’t generous with its documentation the way other phone makers had been. And as subsequent versions of the iPhone came out, Apple added security protections, including encryption, that made it even more difficult to extract data. Cellebrite scrambled to expand its research team. Carmil won’t say why — he’s silent on a lot of things about the company — but it seems to have coincided with the forensic challenges the iPhone brought.

Cellebrite went looking for skilled reverse engineers, particularly among former members of the Israeli military’s Unit 8200, the famed tech and signals intelligence unit where many of the country’s elite hackers and vulnerability researchers hone their skills. Tal, Cellebrite’s 33-year-old director of research, hails from the unit.

The research efforts paid off and the company’s forensic business soared, as shown by federal procurement records, particularly among U.S. law enforcement. Cellebrite has held about 230 federal contracts over the years, with the first dating to late 2007 when it signed contracts with the DEA, Secret Service, and the Navy’s Space and Naval Warfare Systems Command. The National Guard Bureau of Tennessee purchased six UFED devices in 2008, noting in its procurement document that the DEA already had “over 200” of them. On September 11, 2009, the FBI appears to have signed its first contract with Cellebrite. And by the end of that year, the company says more than 4,500 UFED devices were in use around the world.

Something else was happening to push sales in the U.S., according to Christa Miller, Cellebrite’s former director of mobile forensics marketing from 2012 to 2015. Wireless carriers were storing customer text messages for only short periods of time, and law enforcement was desperate to find a way to get evidence from customer devices even after it vanished from telecom servers and after users deleted it from their phone, Miller says.

So in November 2009, Cellebrite launched a new product, the UFED Physical Pro, to extract data from the flash memory chip of phones, including deleted data. 

There are two primary ways to retrieve data from mobile phones — logical extraction and physical extraction. Logical focuses on content and data the phone allows you to extract naturally through its application programming interface, or API, such as contacts and text messages. Sometimes the method for extracting the data is well-documented, sometimes it’s not and requires reverse-engineering; but in general, the presence of the data is readily apparent to a user or piece of software. Physical extraction, by contrast, gets data from a phone’s flash chips that’s not normally available, like deleted information.

In August 2010, Cellebrite developed the means to do physical extractions from iPhones on the market at the time. By 2012, the company was also able to extract deleted messages from BlackBerry and Motorola devices, the latter using a technique that bypassed the user lock. And in 2014, Samsung’s Galaxy S4 family of devices fell to the company’s physical extraction methods as well. MSAB began offering its own physical extractions from flash memory in 2010.

Cellebrite is secretive about its methods, but a lawsuit the company filed against MSAB in 2013, accusing its competitor of stealing its Samsung and BlackBerry techniques, offered a few clues about the company’s process. It asserted, in regard to Samsung devices, that the technique didn’t require the phones to be powered-down first to do the extraction and that the solution involved a vulnerability in the phone’s memory, or RAM. Cellebrite’s researchers also had to locate several “landing addresses” in the RAM where they could inject a custom bootloader they created. A bootloader is code built in to a smartphone that launches the phone’s operating system when someone turns on the device. But Cellebrite’s custom bootloader halts the normal boot process in a way that allows their tool to then access and read the phone’s memory.

Cellebrite’s other solution, for the BlackBerry smartphone, relied on a vulnerability the company found in the process that BlackBerry phones used for authenticating BlackBerry software delivered from a desktop computer to the phones, which allowed them to load their bootloader to the phones. The Cellebrite bootloader, the company wrote in its lawsuit, piggybacked on the official signed BlackBerry bootloader, “thus tricking the extremely sophisticated BlackBerry security protocols” into allowing the Cellebrite bootloader to run on BlackBerry devices in place of the legitimate bootloader. 

Methods like this for doing physical extractions, however, were soon thwarted by Apple and other vendors, who began to increase the security of their phones by encrypting data stored on the devices and adding other security protections. A physical extraction yields a greater wealth of information over a logical extraction, unless the data extracted is encrypted and therefore unreadable. The problem was particularly acute with iPhones.

“Modern iPhones, if the user configures them correctly, are virtually impossible to get into,” says Osgood. 

In June 2009, for example, Apple introduced full-disk encryption with iOS 3 and the iPhone 3GS (the term “full-disk encryption” has come to refer to routine encryption of all data stored on a device, even those, like the iPhone, that do not actually use a physical disk). It was the first stage in the Going Dark problem for law enforcement, though it was only a partial eclipse, since the encryption key was not user-generated but was generated from a unique ID embedded in the phone, which meant Apple still had the ability to unlock phones. With iOS4, Apple introduced a file-encryption scheme that used a key derived from the user’s password and the embedded ID. Apple also added a time delay of 80 milliseconds to password guesses, which made it harder, though not impossible, to bruteforce the user’s password. Then with iOS 8, Apple expanded the data it encrypted on the phone — photos, messages, contacts, call history — and added even more delay to password guesses. By the ninth failed password, the wait became an hour before another password could be tried. If the user enabled an erase feature, the decryption key would disappear altogether after 10 failed password attempts.

Despite measures like these, Cellebrite has developed methods to get around or disable encryption in a number of phone models, including iPhones, though certainly not all of them.

“If you can do it, the competitive barrier is huge,” says Ben-Peretz. “And this is where we excel.” 

In June 2015, for example, Cellebrite developed a way to unlock Apple devices running iOS 8, without the risk of erasing the encryption key. Earlier this year, a forensic specialist in Italy, stymied by an iPhone 5 running iOS 8, reportedly paid $1,500 for a Cellebrite team to help get him into the phone.

This doesn’t mean full-disk encryption isn’t still a challenge.

Encryption is “definitely more complex than it was five years ago or 10 years ago,” Tal says. “There are more and more mechanisms involving encryption. … And today our typical forensic capability would be constructed out of several chains of blocks, each of which [is] solving a different technology layer or mechanism in order to provide the eventual result.”

To defeat password locks and encryption, the company has developed custom bootloaders that in some cases can interrupt the boot process of the legitimate bootloader on a phone before the operating system loads and before the password-locking mechanism kicks in. The details of how it does this vary depending on the phone, says Tal. And the process for cracking an iPhone is much more complicated than this, though he won’t elaborate.

A lawsuit Cellebrite filed last year against Oxygen Forensics touched on its solution for disabling the screenlock on some Samsung Android devices. According to a court document in the case, Cellebrite developed special lock disabler code — commands that can run on the phones, despite their screens being locked, and disable the locks. Cellebrite did something similar with LG Android phones, by identifying which files on the phone control the screen-locking function and manipulating them to disable the lock.
Limits of Encryption Cracking

Bollö, the MSAB CEO, admitted that encryption is hard for his company to address, though he told The Intercept, “we have solutions for either working around or trying to bypass” encryption. Asked to elaborate on those methods, however, he couldn’t provide a clear example. 

“It is not as simple as getting around encryption or not,” he wrote in an email. He noted that these days, the problem isn’t just the extra security and encryption built in to phones themselves, but also the encryption in mobile apps.

“I think both Google and Apple have more than 2 million apps on their app stores, and each app has their own database or encryption — they are updated 10 times as often [as phone operating systems],” he said during an interview in the company’s Virginia office. “That’s a much bigger challenge than specific phones.”

Indeed, each forensic tool can only extract data from a small percentage of apps, so they focus on the most popular ones that are likely to yield important forensic data. The data for each app requires decoding if it’s in a special format. And once data is extracted, it has to be analyzed and presented in a format customers can understand.

This is largely what makes mobile forensic tools so expensive — the many variations of phones, operating systems and applications they have to address. Mobile forensic tools can cost $10,000 to $14,000 for the base tool or software, with an additional annual subscription for upgrades — the release notes for new versions of Cellebrite’s tools and software list dozens of mobile apps and mobile handsets and operating systems that are newly supported by each upgrade.

Tal says the breakthroughs they achieve in cracking phones are rewarding, but his research team gets other satisfaction from the work. “You see murderers, you see child molesters get behind bars because of data that we extracted yesterday, and it’s a very immediate connection with the purpose of what we’re doing here,” he says. “We’re not just security researchers who work on this forensic capability to make money for the company; there’s a story behind this for the people.”

Cellebrite, he insists, gives highly skilled researchers a more ethical and acceptable outlet for their talents than, say, selling vulnerabilities and exploits to questionable buyers as some researchers do. He doesn’t name names, but researchers at the Citizen Lab in Canada recently found that Cellebrite’s compatriots at the NSO Group had supplied iPhone zero-days to the United Arab Emirates government to install a spy tool on a phone used by a local human rights activist. “[T]here are a lot of very good people, very good talents in this space who don’t necessarily feel very comfortable working for someone who may sell their product to a foreign government that may or may not use it against journalists in their countries and oppressive regimes,” Tal says. 

He says their customers are first-world Western law enforcement agencies and notes that he’s had interest from a lot researchers lately who have been expressing an interest in working for Cellebrite “because they know the research we do doesn’t go into the ‘shady’ areas. We have a strong ethics backbone, a clear-use case for our capabilities, and dramatically less potential for abuse should ‘evil customers’ attempt to deceive us.”

This doesn’t mean that Cellebrite is without controversy. The company works at the epicenter of an increasingly important U.S. policy debate about government use of computing vulnerabilities and exploits for surveillance purposes and about how keeping those vulnerabilities secret leaves the devices of millions of people vulnerable to intruders of all sorts. Apple still doesn’t know what iOS vulnerability the mystery party used to help the FBI hack into the San Bernardino phone, leaving many iPhone users at risk of someone else using the same vulnerability on their phones.

Tal says Cellebrite’s researchers have deliberated at times about disclosing vulnerabilities they found to vendors, but won’t say if they’ve actually disclosed any.

“Sometimes we do want to disclose a vulnerability because we think that’s in the best interest of our customers and in the best interest of maintaining some aspect of privacy and security,” he says. “But then of course [the] forensics business is entailed with getting access to information the vendor maybe did not want you to have access to. So there’s somewhat of a delicate dance around this.”

No comments:

Post a Comment