Earlier this year, at the height of a very public battle between the FBI and Apple over whether the computer maker would help decrypt a mass murderer’s locked iPhone, it appeared that a little-known, 17-year-old Israeli firm named Cellebrite Mobile Synchronization might finally get its moment in the spotlight.
After weeks of insisting that only Apple could help the feds unlock the phone of San Bernardino killer Syed Rizwan Farook, the Justice Department suddenly revealed that a third party had provided a way to get into the device. Speculation swirled around the identity of that party until an Israeli newspaper reported it was Cellebrite.
It turns out the company was not the third party that helped the FBI. A Cellebrite representative said as much during a panel discussion at a high-tech crimes conference in Minnesota this past April, according to a conference attendee who spoke with The Intercept. And sources who spoke with the Washington Post earlier this year also ruled out Cellebrite’s involvement, though Yossi Carmil, one of Cellebrite’s CEOs, declined to comment on the matter when asked by The Intercept.
But the attention around the false report obscured a bigger, more interesting truth: Cellebrite’s researchers have become, over the last decade, the FBI’s go-to hackers for mobile forensics. Many other federal agencies also rely on the company’s expertise to get into mobile devices. Cellebrite has contracts with the FBI going back to 2009, according to federal procurement records, but also with the Drug Enforcement Administration, the Secret Service, and DHS’s Customs and Border Protection. U.S. state and local law enforcement agencies use Cellebrite’s researchers and tools as well, as does the U.S. military, to extract data from phones seized from suspected terrorists and others in battle zones.
The company is poised to seize a prominent and somewhat ominous place in the public imagination; just as Apple has come to be seen as a warrior for digital protection and privacy against overreaching government surveillance, Cellebrite is emerging as its law-and-order counterpart, endeavoring to build tools to break through the barriers Apple and other phone makers erect to protect data.
“Vendors … are implementing more and more security features into their product, and that’s definitely challenging for us,” says Shahar Tal, director of research at Cellebrite. “But we’ve solved these challenges before [and] we continue to solve these challenges today.”
In July, months after the unknown third party provided the FBI with a method for getting into the San Bernardino phone — an iPhone 5C running iOS 9 — Cellebrite announced that it had developed its own technique for bypassing the phone’s password/encryption lock. And the company is confident that it will be able to deal successfully with future security changes Apple may make to its phones in the wake of the San Bernardino case.
“If it’s going to be done, it’s going to be done in this building,” Carmil told The Intercept during a visit to the company’s Israeli headquarters earlier this year.
Cellebrite’s ascent comes at a time when mobile forensics has never been more important to law enforcement and intelligence agencies. Data extracted from phones has eclipsed data extracted from desktop and laptop computers in recent years, since the former can yield not only detailed logs about a user’s activities, interests, and communications, but also, in many cases, map the user’s whereabouts over weeks and months to produce a pattern of life.
The story of Cellebrite’s emergence as a forensic powerhouse is the story of how mobile forensics itself has evolved over the years — beginning first in the late ’90s with a simple tool for migrating user contacts from one cellphone to another, which morphed in 2007 to a solution for harvesting address book data from PDAs and feature phones, to the complex multistage operations needed today to bypass the sophisticated security mechanisms built in to smartphones.
Ahead of Competitors
Cellebrite isn’t the only forensic game in town. It has a number of rivals around the world, each with varying strengths and weaknesses. They include the Swedish firm MicroSystemation AB, also known as MSAB, whose XRY tool is used by the Department of Homeland Security, the U.S. military and others; the U.S. firms Susteen, Paraben, and BlackBag Technologies; Magnet Forensics, a Canadian firm; and Oxygen Forensics, a Russian firm whose customers include, according to its website, the IRS, U.S. Army, DOD, DHS, and the Justice Department.
But Robert Osgood, an FBI supervisory agent for more than 25 years until he retired from the bureau in 2011, says that Cellebrite and MSAB are the leaders.
“They’re the two 800-pound gorillas in the mobile forensic device world” when it comes to extracting data, says Osgood, who now directs a graduate program in computer forensics at George Mason University.
Although he says the FBI buys other forensic tools, they are primarily used in specific niches — for example, parsing and analyzing subsets of data, such as data associated with social networking apps, after it has already been extracted using a Cellebrite or MSAB tool.
Heather Mahalik, who trains about 400 federal and local law enforcement workers a year in advanced mobile forensics for the SANS Institute, says that even among these two giants, Cellebrite has been edging out its competitor over the last two years.
“There are uniqueness and little tricks in both of them that really help … but I would be lying to say it is still close [between them], because I know that Cellebrite works better for acquisition,” she told The Intercept. Mahalik says she surveys her students each year to see which tools they’re using on the job. Two years ago, Cellebrite and MSAB were almost neck and neck, but these days, she says her students mention only Cellebrite. A 2012 annual report from MSAB acknowledges that Cellebrite penetrated the U.S. market before it did, which helped it gain an advantage as a result.
Cellebrite’s forensic tools include the Universal Forensic Extraction Device (UFED), hardware bundled with proprietary software that acquires, decodes, and analyzes data from smartphones, tablets, and portable GPS devices; the UFED4PC, which is standalone software for use on a PC; and the UFED Pro, an add-on to the UFED that does something called physical extraction, which siphons data directly from a phone’s flash memory chip. This can include deleted SMS messages and call histories as well as data collected by the phone and apps that the user is unaware is being collected.
The company doesn’t help governments remotely hack into phones for real-time surveillance, as the NSO Group, another Israeli firm, reportedly does; Cellebrite focuses only on forensics — collecting data and artifacts already created and stored on phones. Physical access to the phone is required for their work.
Cellebrite’s edge lies in its ability to extract data from more mobile operating systems and chips than its competitors, often producing solutions faster than rivals. Each time a new version of a mobile phone or an update to an existing operating system is released, Cellebrite’s team of reverse engineers goes into assault mode to find zero-day vulnerabilities and other hidden pathways that will give the engineers access to data the phone makers have worked hard to block. In some cases, they’re already working on new phones before they’re released. That’s because some vendors — Cellebrite won’t say which ones, but Apple isn’t among them — ship a sample of their new phones to Cellebrite three months before they’re released, giving Cellebrite engineers a head start in cracking the devices. It’s a practice that dates back to the company’s original business, selling gear to cellular carriers that helped their customers migrate contacts from one phone to another.
The company doesn’t put all of its forensic techniques into its automated tools, however. To prevent competitors from reverse-engineering its software to uncover and steal its unique methods and to prevent phone vendors from discovering the vulnerabilities used in its techniques and patching them, some exploits are only performed manually by its staff. Its new solution for extracting data from iPhone 5C’s running iOS 9 — the San Bernardino phone — can only be performed by a Cellebrite worker as part of the company’s Advanced Investigative Services division, also known as CAIS. This is a premium unlocking subscription service that costs $250,000 a year in the U.S., according to a DEA procurement record, and will also get customers help in bypassing encryption on the iPhone 4S and 5, the Samsung Galaxy S6 and Galaxy Note 5, and some Galaxy S7s, among other devices. Though Cellebrite will also unlock phones as a one-off service, for about $1,500 per phone.
Bypassing encryption, the most vexing problem law enforcement faces today in mobile forensics, is one of Cellebrite’s biggest selling points. The company says it has been able to “crack the code to the screen locks” on a number of phone models, allowing it to access data on the phones without a password.
“Encryption is a show stopper for most of the industry,” Tal told The Intercept. “Except for us.”