eBay removes ‘phone hacking’ devices claimed to be able to access data without passcodes
eBay has pledged to remove listings from its site of electronic devices claimed to be capable of hacking mobile phones following an investigation by i.
The auction site said it would remove the computers – being offered for sale with price tags of up to £3,500 – which are claimed by vendors to be versions of a powerful tool used by law enforcement agencies in Britain to break into passcode-protected devices during criminal investigations.
When contacted by i, three eBay sellers insisted the devices they were offering for sale had valid licences, in one case lasting for more than decade, to enable the machines made by Israeli company Cellebrite to be used for purposes including bypassing security codes. Dozens of items are being offered on the auction site as Universal Forensics Extraction Device or UFEDs, a flagship Cellebrite product which is marketed as being capable of bypassing the password technology on virtually every mobile phone.
Cellebrite insisted that the items being sold on eBay are not UFEDs but instead obsolete downloading devices made for a former subsidiary which do not offer any ability to unlock or hack into phones without the owner’s passcode. The company said the machines being sold also did not have valid licences and suggested that in one case UFED screenshots may have been uploaded onto a device to make it look genuine.
On Tuesday evening eBay said that the listings offering an ability to unlock phones without a passcode violated its terms and conditions and it would remove them from its site after its attention was drawn to their existence by i. In a statement, the company said: “These items are prohibited on our site, and we are removing them.”
The eBay listings are the latest example of a game of cat and mouse between Cellebrite and unauthorised internet resellers to ensure that its devices are only used by its target market of law enforcement agencies and private companies with appropriate safeguards.
The company, which in 2021 had a value of £1.9bn, has built a lucrative worldwide business in providing its flagship UFEDs and other products to police, intelligence and other law enforcement bodies with a promise that they can access virtually the entire range of Apple and Android mobile devices.
In Britain, Cellebrite has signed contracts in the past four years worth at least £1.9m for UFEDs sold to seven police forces as well as the Home Office, the Ministry of Defence and the Competition and Markets Authority.
Privacy campaigners have warned that the rules around the use of phone unlocking technology by law enforcement agencies in the UK remain opaque, with a variety of different pieces of legislation applying to the circumstances in which hacking devices can be used. Cellebrite insists that its devices can only be used in conjunction with a valid warrant.
The company has also faced controversy over the use of its technology by repressive regimes. In 2021 it announced it was halting its operations in Russia after allegations that a branch of the Kremlin’s security services were using UFEDs to target opposition activists.
But manufacturers also face a battle with keeping their technology off the second-hand market, where it could prove attractive to criminals wanting to unlock phones or hackers wishing to access material that could still remain on redundant devices.
In 2019, Cellebrite wrote to its law enforcement customers asking them to either destroy disused or redundant equipment or return it for destruction, rather than selling it onto the second-hand market. It wrote: “Since it may be possible for these devices to access private information, we ask that you treat any Cellebrite equipment within your organisation with the highest degree of security.”
Cellebrite has since further tightened its procedures so that internet-connected UFED devices are remotely disabled once their licence expires and all new licences must now be renewed on an annual basis.
However, third-party sellers continue to offer Cellebrite-branded equipment with claims that they are UFED devices, with more than 40 items listed on eBay this week. One “UFED” item being advertised was being offered with a claim that it facilitated the “physical and logical extraction of all data and passwords (even if they’ve been deleted) from the widest range of popular mobile phones”.
Another seller offering an alleged UFED device for $4,500 (£3,570), told i that the computer was in “full working order” as a forensic device and it had a Cellebrite licence valid until July 2034. Cellebrite told i that this device did not have a valid licence and may have been manipulated to show screenshots from a genuine UFED.
The company said that nearly all Cellebrite machines being offered for sale on eBay were manufactured for a former subsidiary to allow data transfer in places such as mobile phone shops to back up or transfer data from customers’ phones. A spokesperson said: “These devices don’t unlock phones or have licences, contrary to the eBay description.”
