Meant to be used only by law enforcement, Cellebrite hacking tools for iPhones and other smartphones are reportedly selling on eBay for sums as low as $100.
The most expensive the used hardware gets is $1,000, Forbes said on Thursday. Cellebrite sells new systems for $6,000 or higher.
The forensic data firm is sending letters to clients warning them against reselling its hacking tools, given the potential for illegally breaking into private data. Nominally the equipment is expected to be sent back to Cellebrite — serious concerns have been raised given that people within or connected to police agencies are not only putting the tools in the hands of unknown persons, but potentially leaking case data if it hasn't been wiped.
One security researcher, Matthew Hickey, recently bought a dozen such units and discovered data on what devices were searched and when, and the forms of data that were extracted. That includes IMEI numbers, which could be used to track down an individual phone.
The devices could even contain chats and contact lists, Hickey said, though he chose not to explore that material.
Still more worrisome is the possibility that Cellebrite's tools could map out vulnerabilities it hasn't shared with Apple and other vendors. Apple tends to close exploits used by forensics firms as soon as it discovers them, since they could just as well be used illegally.
Cellebrite is famously believed to be the third party the FBI turned to crack the iPhone 5c of San Bernardino killer Syed Rizwan Farook. The FBI and Department of Justice had been insisting that they needed Apple to code a backdoor, but were met with active opposition by CEO Tim Cook and others, who argued that the company would have to fundamentally compromise the security of iOS — precisely because backdoors could be leaked or shared by government agencies, or else discovered independently.
Various U.S. officials have complained that Apple's insistence on end-to-end messaging encryption and full-disk encryption for devices is causing its products to "go dark" to law enforcement and spy agencies. The battle has in fact gone global, with the "Five Eyes" intelligence network — including Australia, Canada, New Zealand, the U.K. and the U.S. — claiming that "privacy is not an absolute," and hoping for legislation that can bypass encryption, despite complaints from tech companies, privacy advocates, and the public.