Phone hacking tools used by feds selling cheaply online; models sold on eBay without being scrubbed

Hacking tools used by law enforcement agencies to extract data stored on smartphones are being resold online, making the products available to the general public and resulting in a warning to customers, a report revealed Wednesday.

Cellebrite, an Israeli firm that sells the devices, recently asked users to return their old devices rather than reselling them on the internet, where secondhand copies are being auctioned on sites like eBay and purchased by members of the public for a fraction of the cost at which they are typically sold to agencies such as the FBI and Immigration and Customs Enforcement, Forbes first reported.

Archived internet listings confirm eBay users have bought and sold various Cellebrite tools for between $100 and $1,000 per unit, including Universal Forensic Extraction Device (UFED) models designed to extract data off iPhones and Android devices. Similar models are typically purchased new by customers for about $6,000, Forbes reported.

Matthew Hickey, a cybersecurity researcher who recently bought several second-hand Cellbrite devices, said that several of the products he purchased were shipped without being scrubbed of sensitive data, Forbes reported.

“You’d think a forensics device used by law enforcement would be wiped before resale. The sheer volume of these units appearing online is indicative that some may not be renewing Cellebrite and disposing of the units elsewhere,” Mr. Hickey told Forbes.

“Units are intended to be returned to vendor precisely for this reason, people ignoring that risk information on the units being available to third parties,” he added.

Mr. Hickey shared an image on Twitter following the publication of the Forbes article of an email allegedly sent by Cellebrite to the firm’s customers.

“As a part of Cellebrite’s inventory control process we need to ensure that our products are only used by the original owner,” said the message. “As a reminder, selling or distributing any of your Cellebrite equipment to other organizations is not permitted without written approval from Cellebrite.”

Cellebrite did not return messages seeking comment sent over the span of two weeks prior to publication, Forbes reported.

Law enforcement agencies rely on technology sold by companies including Cellebrite to access data stored on lawfully seized but inaccessible devices, such as password protected smartphones and tablets.

Cellebrite has contracted with U.S. agencies since at least 2009, including the FBI and ICE in addition to the Drug Enforcement Administration, the Secret Service and Department of Homeland Security, The Intercept previously reported.