When cops have a phone to break into, they just might pull a small, laptop-sized device out of a rugged briefcase. After plugging the phone in with a cable, and a few taps of a touch-screen, the cops have now bypassed the phone’s passcode. Almost like magic, they now have access to call logs, text messages, and in some cases even deleted data.
State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones, according to documents obtained by Motherboard. Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company in particular has cornered the trade in mobile phone forensics equipment across the United States.
Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages. Cellebrite’s products can also circumvent the passcode locks or other security protections on many current mobile phones. The gear is typically used to gather evidence from a criminal suspect’s device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.
Previous reports have focused on federal agencies’ acquisition of Cellebrite tools. But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.
UFED Touch2 Platform. Cellebrite screengrab
Cellebrite has sold its wares to regional agencies in 20 states, and likely many more, according to the cache of documents acquired by Motherboard. Those items specifically include Cellebrite’s range of Universal Forensic Extraction Devices (UFED); the typically laptop-sized or handheld devices for hoovering up data from phones. Some of the agencies note in the documents that they use the technology for legal searches of devices.
Cellebrite does not publicly comment on its customers, and did not respond to a request for an interview on the company’s US strategy.
Read more: The Phone Hackers at Cellebrite Have Had Their Firmware Leaked Online
According to a spreadsheet detailing what models of phones Cellebrite can handle, the UFED can extract data from thousands of different mobile devices. It can’t, however, extract the passcode on the iPhone 4s or above.
“We use it for any and all crimes,” Nate McLaren, Special Agent in Charge at the Iowa Department of Public Safety’s Cyber Crime Unit and Internet Crimes Against Children Task Force, told Motherboard in a phone call. “Anywhere we think there might be a digital footprint or a digital fingerprint.”