For months, the FBI has portrayed its case against Apple Inc. as one of desperation: that it had exhausted every known means to crack the iPhone 5C carried by Syed Farook on Dec. 2 when he and wife, Tashfeen Malik, shot and killed 14 people in San Bernardino, California.
And yet the “outside vendor” the FBI is reported to be working with to break the encryption on the phone has long relationships with many branches of the U.S. government, including the FBI.
Cellebrite, a private company founded in 1999 and based in Petah Tikva, Israel, manufactures a variety of technologies that make it possible for law enforcement agencies to extract crucial data from popular cell phones. Now the company reportedly has a starring role in the international drama playing out over encryption between the FBI and the biggest global tech companies.
FBI Director James Comey testified before Congress that the agency had no other means to crack the phone than to invoke the All Writs Act and compel Apple to break its own encryption. “We engaged all parts of the government to see if anyone has a way short of asking Apple to do this with a 5C running iOS 9 and we do not,” he said.
The government backtracked on that at the 11th hour Monday, asking for an extension on a court hearing and revealing it’s in talks with “an outside party [that] demonstrated to the FBI a possible method for unlocking Farook’s iPhone.” That company is reported to be Cellebrite, according to a report Tuesday in the Israeli newspaper Yedioth Ahronoth.
Later, an executive at the company stopped short of confirming it in an interview with Haaretz. “The level of complexity is exponential and it’s at a point that it’s getting difficult — but if anyone can do it, it’s us,” Leeor Ben-Peretz, executive vice president of products and business development for mobile forensics, told the paper. Cellebrite did not respond to calls from International Business Times.
If true, it would cast doubt on the government’s claims since various branches of the U.S. government, including the FBI, have longstanding relationships with Cellebrite, according to public records listed on the Federal Procurement Data System database. Indeed, the FBI has spent at least $2 million on the company’s surveillance products since 2012.
In fact, the Drug Enforcement Administration was granted a search warrant to search an iPhone 6 in an unrelated case in Maryland on Feb. 16. In that case, which is unrelated to the events in San Bernardino, the DEA described its plan to bypass the phone’s password security features using a “CellBrite” device.
Documents on Cellebrite’s website indicate the company provides advanced technology to more than 100 countries intelligence services, border patrols, special forces, military forces and financial organizations, among other clients. Products include the Universal Forensics Extraction Device Ultimate, which promises to enable users to take passwords and other data, including deleted information, from cell phones, GPS devices and tablets. Another product, the UFED Link Analysis, supposedly “identifies common connections between multiple devices and disparate data sources to generate leads and uncover actionable insights from existing call logs, text messages, multimedia, applications and location data.”
A March 2016 procurement bill from the University of California, Merced, shows the state allocated $15,000 for “one Cellebrite system,” though it’s not clear if that system is a UFED Ultimate, a UFED Link Analysis or another product. That order came after a November incident on campus when one student, identified as Faisal Mohammed, stabbed four people in an attack that the FBI later said was inspired by the Islamic State terrorist group. An analysis of the student’s electronic devices indicated he viewed terrorist propaganda before the attack, the bureau said.
So if the FBI didn’t really need Apple to crack the San Bernardino shooter’s iPhone, why did it force a courtroom showdown with one of the world’s most powerful tech companies? Privacy advocates argue that the bureau viewed the case as an opportunity to establish legal precedents that would expedite future searches. Various polls have suggested the public is split almost exactly in half in its support for Apple vs. law enforcement.
“This case was never about a phone. It was a grab for power,” said Evan Greer, campaign director of Fight for the Future. “The FBI already had the capability to hack this phone using forensic tools, but they thought this case would be a slam dunk –– a way for them to set a dangerous precedent that they’ve wanted for years. Instead, it appears they’re running away with their tail between their legs, trying to save face while they go.”
Cellebrite isn’t shy about its services, either. A range of Cellebrite products are featured in a series of YouTube videos that show off, among other features, the Cellebrite User Lock Code Recovery Tool, meant to unlock an iOS device by manipulating the camera, and the Cellebrite Touch, a mobile surveillance unit that includes ports to analyze SIM cards and other phone information.
The U.S. Secret Service has spent more than $1.3 million on Cellebrite technology since 2013, public records indicate, on “electronic computer manufacturing equipment” and “radio and television broadcasting and wireless communications equipment manufacturing” equipment. That’s not to mention other contracts with the DEA, Patent and Trademark Office, U.S. Immigration and Customs Enforcement, the Transportation Security Administration and the U.S. State Department.
The company also hosts product demonstrations for state and federal police agencies. The next scheduled event, open to U.S. law enforcement only, is due to take place at the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, California, from April 11-15.
“It’s a vendor-only event hosted by Cellebrite. We have Silicon Valley vendors we work with on a regular basis to demonstrate their products,” said FBI spokesman Prentice Danner. “Mobile forensics and cyber forensics are things we work with on a regular basis. If we seize computers, those computers have to be imaged, or cell phone data for a case where a phone was used to commit a crime, but cyber forensics is just a part of our investigations.”
The FBI would not comment on whether Cellebrite is involved in the San Bernardino case, or any aspect of the Apple case.
But if the FBI knew it had the means to crack an iPhone without compelling Apple to do it, why draw Apple into a public legal fight it seemed likely to lose? Perhaps to influence a policy debate over encryption, which has become an issue in the 2016 presidential campaign, and the subject of pending legislation in Congress.
“Theoretically the device would be in a controlled environment where a single device is unlocked then, theoretically, the method could be kept secret. But then you have a precedent that’s been established where a manufacturer will give up secrets under certain circumstances,” said Stephen Cobb, a senior security researcher at the cybersecurity company ESET. “There are already police and prosecutors lining up across the nation hoping for this ability.”
This shows that the arms race between tech companies, criminals and law enforcement is going to be an increasingly lucrative one for those in the business of defeating encryption.
Forecasters predict business will only continue to grow as the tech industry invests more in encryption technology. The FBI has said it will not reveal the software exploit that makes it possible for the government to subvert the San Bernardino phone's encryption, a move that will certainly motivate Apple engineers to patch any vulnerabilities in the company’s mobile operating systems.
The arms race creates more opportunities for Cellebrite and other secretive surveillance technology dealers like the Florida-based Harris Corporation, which sells phone surveillance technology known as the StingRay, which extracts similar data from area cell phones.
“This industry is most definitely going to grow,” said Erwin Chemerinsky, a constitutional law professor specializing in electronic privacy at the University of California Irvine. “I think the fight over whether there can be encrypted communication is going to only increase, and that means there’s going to be a an enormous market for those who can break into this kind of encryption.”