When smartphone companies refuse to help law enforcement agencies access encrypted devices, investigators often turn to companies like Cellebrite, which offers its Universal Forensic Extraction Device (UFED) to help them hack the phone in question to access secure data The problem? This week, Forbes reported that UFEDs--which normally cost between $5,000 and $15,000--can now be bought on eBay (opens in new tab)for as little as $100.
In addition to letting anyone with a likeness of Benjamin Franklin break into other people's devices, these used UFEDs were also found to contain data from previous investigations.
Forbes said Hacker House co-founder Matthew Hickey bought a dozen UFEDs to see what secrets they might contain. He reportedly found that the "secondhand kit contained information on what devices were searched, when they were searched and what kinds of data were removed," as well as the searched phones' IMEI (international mobile equipment identity) codes.
The UFEDs Hickey bought had been used to delve into phones from Samsung, LG, ZTE and Motorola. He also confirmed that they worked on select iPhone and iPod models. According to the report, Hickey suspects he could've accessed more private information, too but didn't want to dig too deeply into the UFEDs lest he find case evidence.
It's hard to believe law enforcement officials were allowed to sell UFEDs on platforms like eBay in the first place. But to do so without scrubbing the data they'd gathered is unconscionable. The sellers didn't just make it easy for anyone to hack devices; they also shared information about people who'd already been hacked.
We don't need to guess why law enforcement officials like these devices: FBI executive assistant director Amy Hess recently told the Wall Street Journal that encryption "infects law enforcement and the intelligence community more and more so every day." Technologies like UFEDs can obviously help treat that so-called infection.
But when they're sold on the open market for a fraction of their cost, they can also be used to invade someone's privacy without any of the oversight to which government agencies are subjected.