[BreachExchange] Hacker Steals 900 GB of Cellebrite Data

Thu Jan 12 20:05:02 EST 2017

http://motherboard.vice.com/read/hacker-steals-900-gb-of-cellebrite-data

The hackers have been hacked. Motherboard has obtained 900 GB of data
related to Cellebrite, one of the most popular companies in the mobile
phone hacking industry. The cache includes customer information, databases,
and a vast amount of technical data regarding Cellebrite's products.

The breach is the latest chapter in a growing trend of hackers taking
matters into their own hands, and stealing information from companies that
specialize in surveillance or hacking technologies.

Cellebrite is an Israeli company whose main product, a typically
laptop-sized device called the Universal Forensic Extraction Device (UFED),
can rip data from thousands of different models of mobile phones. That data
can include SMS messages, emails, call logs, and much more, as long as the
UFED user is in physical possession of the phone.

Cellebrite is popular with US federal and state law enforcement, and,
according to the hacked data, possibly also with authoritarian regimes such
as Russia, the United Arab Emirates, and Turkey.

The data appears to have been taken, at least in part, from servers related
to Cellebrite's website. The cache includes alleged usernames and passwords
for logging into Cellebrite databases connected to the company's
my.cellebrite domain. This section of the site is used by customers to,
among other things, access new software versions.

Motherboard verified the email addresses in the cache by attempting to
create accounts on Cellebrite's customer login portal. In the majority of
cases, this was not possible because the email address was already in use.
A customer included in the data confirmed some of their details.

The dump also contains what appears to be evidence files from seized mobile
phones, and logs from Cellebrite devices.

According to the hacker, and judging by timestamps on some of the files,
some of the data may have been pulled from Cellebrite servers last year.

“Cellebrite recently experienced unauthorized access to an external web
server,” the company said in a statement on Thursday after Motherboard
informed it of the breach.

“The company is conducting an investigation to determine the extent of the
breach. The impacted server included a legacy database backup of
my.Cellebrite, the company’s end user license management system. The
company had previously migrated to a new user accounts system. Presently,
it is known that the information accessed includes basic contact
information of users registered for alerts or notifications on Cellebrite
products and hashed passwords for users who have not yet migrated to the
new system,” the statement continues.

Cellebrite advised customers to change their passwords as a precaution, and
added that it is working with relevant authorities to assist in their
investigation.

Access to Cellebrite's systems has been traded among a select few in IRC
chat rooms, according to the hacker.

“To be honest, had it not been for the recent stance taken by Western
governments no one would have known but us,” the hacker told Motherboard.
The hacker expressed disdain for recent changes in surveillance legislation.

In 2014 a hacker calling themselves “PhineasFisher” publicly released 40GB
of datafrom surveillance company Gamma International. Gamma makes intrusion
software that can remotely switch on a target's webcam, siphon off their
emails, and much more. The following year, PhineasFisher targeted Italian
company Hacking Team, and published a trove of emails and other internal
documents from the company.

Although the terms of this Cellebrite breach are somewhat different—the
hacker has not dumped the files online for anyone to download—similarities
seem to remain, especially in the hacker's vigilante motivation.

The hacker, however, remained vague as to the true extent of what they had
done to Cellebrite's systems.

“I can't say too much about what has been done,” the hacker told
Motherboard. “It's one thing to slap them, it's a very different thing to
take pictures of [their] balls hanging out.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170112/516c33e3/attachment.html>