Oddbean new post about | logout
Final | 20 days ago (raw) | root | parent | reply | flag +11 
 This device is called a Cellebrite UFED Touch, it's a device sold by Cellebrite - a forensics firm from Israel. It's a tablet preinstalled with Cellebrite UFED, a software suite for mobile device data extractions, which can be run portably. Also has a SIM cloning tool attached to it.

It's a tool sold to forensics firms or police to do forensic cloning of a phone's data. That footage is several years old and the software looks different now. There have also been newer generations of the device. It comes in a big carry case with cables for every major new and old smart device.

Cellebrite use existing exploits (like checkM8 on older iPhones) or develop their own, unknown exploits to try and brute force the credentials of phones so an investigator can unlock them. Cellebrite sell unique variations of UFED (Cellebrite Premium, Cellebrite Insurers) strictly for law enforcement or government clients that use unknown/zero-day exploits on certain devices which have a far greater device support catalog.

Cellebrite typically compromise new iOS versions or iPhones a few months after releasing. The only devices they struggled with long-term are Pixel devices with #GrapheneOS installed on it, where they have no brute force capability and can only work on versions before 2022. (This doesn't imply the exploit was AVAILABLE in 2022, and it likely wasn't).

Here are their device catalog just before this year's generation of smart devices were released:

https://image.nostr.build/e0e3fb4623c342ad785b17aa1b5303b00952d2ef6ead45632dc6f80520e94714.jpg

https://image.nostr.build/7b2ed94d43cceed0df88a8269d0592aca0f868f67b43315cc0503aa9519afa48.jpg

For apps like Signal, SimpleX or others, if a person can have total access of the device and navigate the screen etc. then they can just open your app like a normal user and read the messages. Cellebrite sell a tool called Physical Analyser which reads the UFED data extraction and automatically parses/loads the data to put all the messages in all supported apps in one timeline for the investigator to read. If an app is supported by PA, just read there, if not, then just navigate the phone and take pictures of a screen with the camera.

Protecting the application data with encryption via a passphrase helps. Molly (hardened Signal fork) does that, if they can't brute force the passphrase then they can't read the messages. Duress PINs for the apps don't help in this case because the data is cloned. A duress PIN for the OS would be a better countermeasure because the device wouldn't be cloned in that state.

Protections already exist against these tools: First best choice is to use a very strong password that is impossible to brute force.

Cellebrite isn't the only retailer in this space, there is also MSAB who sell XRY, and Magnet who sell GrayKey. Their capabilities generally are the same across retailers.