Cellebrite asks cops to keep its phone hacking tech ‘hush hush’
I’m happy you can join us. And I’m happy to kick off this initial module covering the system overview and orientation for Cellebrite Premium. Thank you and enjoy.
Did you know that Cellebrite Advanced Services has 10 labs in nine different countries around the world? Well, in order to leverage all of that capacity, we are working together to deliver this training to you, so you will be hearing from colleagues from around the world. The following list are those that comprise this current module set, I hope you enjoy meeting them each.
Before we begin, it’s quite important to go over the confidentiality and operational security concerns that we must abide by by using Cellebrite Premium, not only ourselves in our own Cellebrite Advanced Services labs, but most particularly you in your own labs around the world.
Well, we must recognize that this capability is actually saving lives. And in situations when it’s too late, we’re helping to deliver closure for the victims’ families, and ultimately solve crimes and put people behind bars. So, it’s super important to keep all these capabilities as protected as possible, because ultimately leakage can be harmful to the entire law enforcement community globally.
In a bit more detail, these capabilities that are put into Cellebrite Premium, they are actually trade secrets of Cellebrite, and we want to continue to ensure the viability of them so that we can continue to invest heavily into research and development, so we can give these abilities to law enforcement globally. Your part is to ensure that these techniques are protected as best as you can, and to either consider them as “law enforcement sensitive” or classify them to a higher level of protection in your individual country or agency.
And the reason why is because we want to ensure that widespread knowledge of these capabilities does not spread. And, if the bad guys find out how we’re getting into a device, or that we’re able to decrypt a particular encrypted messaging app, while they might move on to something much, much more difficult or impossible to overcome.We definitely don’t want that.
We’re also aware that the phone manufacturers are continuously looking to strengthen the security of their products. And the challenge is already so difficult as it is, but we still continue to have really good breakthroughs. Please don’t make this any more difficult for us than it already is.
And ultimately, we don’t really want any techniques to leak in court through disclosure practices, or you know, ultimately in testimony, when you are sitting in the stand, producing all this evidence and discussing how you got into the phone. Ultimately, you’ve extracted the data, it’s the data that solves the crime. How you got in, let’s try to keep that as hush hush as possible.
And now moving on to operational security or “opsec.” It starts with the physical protection of the premium system and all of its components that you’ve received in the kit.
These little bits and pieces that make all this capability… magic. They’re highly sensitive assets, and we want to ensure that no tampering or any other curiosities are employed on these devices. And in some cases, there is the chance of tampering and disabling the component, and that’s something that you really don’t want to do, because it could knock out your agency from having the capability whilst you await a replacement.
Additionally, exposure of any of these premium capabilities could be quite harmful to the global law enforcement environment. So, be careful with information sharing, whether it’s in face to face conversations, over the phone, on online discussion groups, via email — other things like that — just try to keep it sensitive and don’t go into any details.
When it comes to written documentation, obviously, you don’t want to disclose too much in your court reports. But definitely put the bare minimum to ensure that a layperson can understand the basic concepts of what was done.
Certainly mention that you used Premium, you can mention the version, but do not go into detail of what you’ve done with the phone: either manipulating it or whatever shows up on the graphical user interface of premium itself.
And when it comes to technical operations and quality management within your organization, please be wary that any document that you put together as a standard operating procedure could be visible by an outside auditor for ISO 17025 or other people that could do a Freedom of Information Act request in your agency in whichever laws of your country.
So just be careful with all that. You need to protect this as best as possible. And the other additional factor that you may not be aware of is that failed exploitations on devices — if they’re able to connect to the network — they could phone home and inform the manufacturer that the device is under attack. And with enough knowledge and intelligence, it is possible that the phone manufacturers might find out what we’re doing to achieve this magic. So please do your best to follow all the instructions and make this the best possible procedures [sic] going forward.”