A phone-hacking device that law enforcement officials use to extract data from phones is popping up on eBay for as little as $100. Federal agencies in the US and elsewhere, including the FBI and Department of Homeland Security, typically spend up to $15,000 on current models of Cellebrite's Universal Forensic Extraction Device, though older versions are available on the secondary market.
It seems police forces have sold or otherwise disposed of some devices, which later made their way to the online auction house, according to Forbes. Worryingly, cybersecurity researcher Matthew Hickey bought several UFEDs from eBay and found details on what phones law enforcement officials searched (including specific device identifiers like IMEI numbers), when the devices were accessed and what kinds of data were obtained. While he did not delve further, he suspected he'd be able to obtain personal data including photos, contacts and messages.
The cellebrite UFED touch became EOL recently to be replaced with Touch 2 and Ufed4pc. I noticed the units have been appearing on eBay in various states of disrepair. I picked these up for $100 each just recently (yes some still work). pic.twitter.com/pVKgNhWjge
— Hacker Fantastic (@hackerfantastic) February 10, 2019
Hickey found one of the devices was used to access Samsung, LG, ZTE and Motorola phones, while he was able to use it to crack old iPhones and iPods. It seems officials are selling older UFEDs that can't access phones running newer versions of iOS or Android. More recent models were able to access iPhones running iOS 11. UFEDs use vulnerabilities unknown to the likes of Apple or Google to access the phones. Cellebrite's devices become outdated as the vulnerabilities are patched.
Cellebrite has reportedly sent letters asking its customers to destroy UFEDs that are no longer useful or return them to be properly disposed of instead of selling the devices. Its terms don't permit clients to resell UFEDs.