Suspected San Bernardino iPhone penetrators Cellebrite fall victim to server hack
Cellebrite, the Israeli digital forensics firm thought to have provided the FBI with assistance to break the security of the San Bernardino shooter's iPhone, has confirmed it has been the victim of a security breach of one of its servers.
A notice on Cellebrite's website alerting to the breach explains it took place on an external web server, and that it is investigating the full extent of the breach before taking steps to harden its security. Cellebrite admits the attacked server was used to hold a "legacy database backup" of the company's own end user license management system my.Cellebrite, which it has already migrated away from.
The details accessed from the database include basic contact information for users registered for alerts, and hashed passwords for users who are not yet migrated over to the new system. While Cellebrite claims it is unaware of "any specific increased risk" to customers, it does advise account holders to change their passwords as a precautionary measure.
The intruders may have gotten away with a lot more than Cellebrite is advising, as Motherboard claims it has obtained approximately 900 gigabytes of data related to the company, believed to have been sourced in part from Cellebrite's servers. The data cache contains more than just customer information, with technical data about Cellebrite's products and evidence files from seized mobile phones allegedly included in the haul, though it is unclear if details of device vulnerabilities were present.
Cellebrite is best known for its mobile forensics work, which was allegedly put to the test by the FBI with the San Bernardino shooting. It is believed the FBI used Cellebrite's technology to acquire data from shooter Syed Rizwan Farook's iPhone 5c running iOS 9, bypassing the passcode lock to gain entry.
While neither Cellebrite nor the FBI have confirmed involvement with each other over the digital assistance, it is believed the FBI paid out less than $1 million to receive a zero-day vulnerability, with Cellebrite the most likely recipient. The events of San Bernardino proved profitable to Cellebrite in other ways, with reports the Indian government has also bought rights to use the company's technology.
Last month, a leak demonstrated how far Cellebrite's tool could go in acquiring data from an iPhone. While it was able to pull out a lot of data potentially helpful to a police enquiry, it is noted that the iPhone used was not protected by a passcode, leaving data unencrypted and easier to access.