FBI Uses Cellebrite Tools to Crack Thomas Crooks’ Phone and Upend Assumptions About Security

On July 13, a 20 year old armed with an AR-15 style rifle tried to assassinate former president Trump. On that day, some important assumptions were proven wrong. First, the assumption that a rooftop only 400 feet away from the podium where Donald Trump spoke was secured by the Secret Service was proven tragically false. In the aftermath of the event another assumption I held was busted. I always assumed the privacy protections on my iPhone were impenetrable – even by the NSA. Boy, was I wrong.

How Did the FBI Access Thomas Crook’s Phone?

After Thomas Crook attempted to shoot President Donald Trump, the FBI swiftly launched an investigation. Initial attempts to access Crooks’ phone failed. But once Cellebrite offered the FBI unreleased software and technical support, the FBI bypassed the Samsung phone’s security features in 40 minutes.

While no motive was discovered, some damning things were found on the gunman’s phone including a photo of mass shooter Ethan Crumbly, photos of Trump and President Biden, the dates of Trump’s appearances, and the upcoming Democratic National Convention. On the day of the rally, Crooks searched for the sporting goods store where he purchased ammunition, and directions to the rally. His last search was for porn.

Is My Phone Really Secure?

I have no criminal intentions because let’s face it, I’m not cut out for prison.

But reading about the FBI using a device to access a smartphone made me want to know more. How do Cellebrite’s tools work? Can anybody use tools to access my iPhone? How secure is my iPhone, really? Should I be worried about my privacy?

Cellebrite Digital Forensics Tools Can Crack Passcodes and Extract Data

Cellebrite is a provider of digital forensics solutions, offering a range of tools to extract, analyze, and review data from mobile devices, cloud services, and computer systems. Their hardware and software is widely used by law enforcement agencies and forensic laboratories to investigate crimes and gather intelligence. And I was surprised to learn they’ve been around for more than 20 years. In 2001 Cellebrite introduced the first Universal Forensic Extraction Device (UFED), allowing for mobile device data extraction. Since then they’ve expanded offerings to analyze cloud data and incorporated machine learning.

Israel-based Cellebrite isn’t the only provider of mobile device forensic tools (MDTFs). Graykey is among the most expensive and advanced of these tools, costing between $15,000 and $30,000. In March 2024 the maker of Graykey announced that its Magnet Graykey device has “full support” for Apple iOS 17, Samsung Galaxy S24 Devices, and Pixel 6 and 7 devices, meaning it can crack even the latest phones and mobile operating systems.

How Does Cellebrite Crack Phones?

The Cellebrite UFED (Universal Forensic Extraction Device) is a 10-pound, portable box about 12”x8”x4” with a touchscreen and connectors for different phones. The process Cellebrite follows to crack a phone typically involves a systematic and methodical approach. Here’s a detailed outline of the process and the order in which these steps are generally carried out:

1. Initial Assessment

Device Identification: The process begins by identifying the specific make and model of the phone. Different devices and operating systems may require different approaches. This step determines the security features in place, such as the type of passcode, encryption, and any additional security measures like fingerprint or facial recognition.

2. Data Backup (if possible)

Before attempting to unlock the device, Cellebrite often creates a backup of the phone’s current state to ensure no data is lost during the unlocking process.

3. Exploiting Known Vulnerabilities

Use software tools to identify and exploit known vulnerabilities in the phone’s operating system. This step can sometimes bypass the need for cracking the passcode. In some cases, Cellebrite may downgrade the phone’s firmware to a version with known vulnerabilities that can be exploited.

4. Attempting Logical Extraction

Before attempting more invasive techniques, Cellebrite tries to extract data using logical methods that do not require bypassing the passcode, such as accessing unencrypted parts of the phone.

5. Brute Force and Dictionary Attacks

If the passcode is relatively simple, Cellebrite may start with a brute force attack, systematically trying all possible combinations. Alternatively, a dictionary attack using a list of common passwords and phrases is attempted to speed up the process. If the phone is set to erase all data after 10 incorrect attempts, a brute force attack becomes practically impossible. After 10 incorrect attempts, the phone would reset, erasing all data and eliminating any further opportunities to try additional combinations. Similar to brute force attacks, a dictionary attack would be thwarted by the phone’s reset mechanism. After 10 incorrect attempts using entries from the dictionary, the phone would reset, rendering further attempts useless. However, to bypass the 10-attempt limit, attackers or authorities might attempt to exploit vulnerabilities in the phone’s operating system. If they can disable or manipulate the reset mechanism through a software exploit, they could continue their attack without triggering the reset.

6. Advanced Cryptographic Attacks

If the phone uses a predictable hash function for the passcode, a rainbow table attack can be used to reverse-engineer the passcode from precomputed hash values.

7. Side Channel and Hardware-Based Attacks

If software methods fail, Cellebrite may resort to side channel attacks, which exploit physical or software vulnerabilities in the phone’s hardware. Specialized hardware, such as FPGA-based devices, can be used to accelerate the cracking process or directly interface with the phone’s internal components to extract data.

8. Customized and Tailored Exploits

For particularly challenging devices, Cellebrite’s team may develop tailored exploits specific to the phone model or software version being targeted.

9. Cloud-Based Attacks

Utilize cloud computing resources to distribute the workload of cracking the passcode, speeding up the process by leveraging multiple virtual machines working in parallel.

10. Extraction and Analysis

Once access is gained, Cellebrite extracts data from the phone, including messages, call logs, emails, photos, and app data. The extracted data is then analyzed to piece together evidence, often using Cellebrite’s proprietary software to sift through and organize the information.

11. Reporting

Document the methods used and the data extracted in a detailed report. This report is often crucial for legal proceedings, ensuring that the process followed is transparent and legally sound.

How Much Does a Cellebrite UFED Cost and What Expertise is Required to Use It?

The cost of a Cellebrite Universal Forensic Extraction Device (UFED) varies significantly based on the model and features. Basic models start at around $5,000 to $10,000, while more advanced versions can range from $10,000 to $20,000. Comprehensive packages that include additional software tools, training, and support services can cost between $20,000 and $50,000 or more. Additionally, there are annual subscription fees for software updates, maintenance, and technical support, which can add a few thousand dollars to over $10,000 per year depending on the service level.

Operating a Cellebrite UFED requires substantial expertise. This includes a deep understanding of mobile operating systems, data extraction techniques, and cryptographic principles. Cellebrite offers certification programs like the Cellebrite Certified Operator (CCO) and Cellebrite Certified Mobile Examiner (CCME) to train users.

Can Anybody Use Cellebrite to Crack Phones?

Cellebrite restricts sales of its forensic tools, like the UFED, to law enforcement, government bodies, and corporate entities involved in legitimate forensic investigations (due to concerns about misuse and privacy violations). Purchasers must provide proof of official capacity and legal authority. International regulations, such as export control laws, govern the sale and distribution of these tools to prevent illegal use in other countries. Data protection and privacy laws, like the GDPR in the EU and CCPA in California, require compliance to protect individual rights. Forensic tools must be used in accordance with local, state, and federal laws. Certification and training ensure that only trained professionals use these tools responsibly.

Examples of Authorities Cracking Phones by Using and Misusing Cellebrite Tools

Cellebrite is a critical tool in helping law enforcement combat human trafficking, solving cold cases, aiding in drug enforcement operations, and even finding missing people.

Cellebrite’s UFED helped investigators uncover a large-scale human trafficking ring, leading to the arrest of 30 suspects and the rescue of over 100 victims. In the 2018 case of the Murder of Jane Doe in the United Kingdom, data extracted from an old phone using Cellebrite’s UFED helped investigators solve a 20-year-old murder case, leading to the conviction of the killer. During Operation Drug Bust in 2020, Cellebrite’s UFED helped law enforcement track and apprehend a major Mexican drug cartel leader, leading to the seizure of over $10 million worth of drugs. In Australia Cellebrite’s UFED helped investigators locate a missing person by extracting data from her phone, leading to her safe return to her family.

But just like other tools designed for good, mobile device forensic tools pose a danger of unauthorized use leading to warrantless searches and loss of privacy.

In the 2020 case of ACLU v. South Bend Police Department, the ACLU alleged that the South Bend Police Department used Cellebrite’s UFED to extract data from phones without warrants, violating the Fourth Amendment rights of citizens. The police accessed phones during traffic stops and during a 2020 protest against police violence. In 2019 The Chicago Police Department was accused of using Cellebrite’s UFED to extract data from phones during routine stops, raising concerns about privacy and Fourth Amendment violations. Also in 2020, the Sacramento County Sheriff’s Department faced allegations of unauthorized access to phones using Cellebrite’s UFED, sparking concerns about privacy and potential Fourth Amendment violations. The police used Cellebrite to access the phones of a racial justice protesters and even a journalist. 

Why an Average, Law-Abiding Citizen Should Care About Privacy and Warrantless Searches

“If you have nothing to hide, you have nothing to fear.”

This phrase is commonly used in discussions about privacy, surveillance, and government monitoring. It suggests that individuals who are not engaged in illegal or suspicious activities should not be concerned about privacy invasions, as they have nothing to conceal from authorities. But even law-abiding citizens should value their privacy and constitutional rights.

So, why care about privacy? 

Because privacy is considered a fundamental human right, essential for personal autonomy and freedom. Privacy should be valued by everyone, regardless of whether they have something to hide because it protects individuals from undue scrutiny and allows them to control their personal information. The lack of privacy or threat of constant surveillance can have a chilling effect on the exercise of freedoms. It can deter individuals from exploring ideas or engaging in activities that are perfectly legal but might be considered controversial.

Privacy is a pillar of political dissent, empowering citizens to challenge unjust government.

Unchecked use of surveillance tools and data collection can be misused by authorities, leading to invasions of privacy, even for innocent people. In addition to misuses during the 2020 BLM and racial justice protests, there are also historical examples of governments using surveillance to suppress dissent, target minority groups, or conduct unwarranted searches.

In the United States, the COINTELPRO (Counter Intelligence Program) conducted between 1956 and 1971 was a series of covert and illegal activities conducted by the FBI aimed at surveilling, infiltrating, discrediting, and disrupting domestic political organizations. The FBI used wiretaps, infiltration, false documents, and harassment against civil rights organizations like the Southern Christian Leadership Conference, Black Panther Party, feminist groups, socialist organizations, and anti-Vietnam War organizers. Prominent figures like Martin Luther King Jr. were heavily surveilled, with attempts to undermine their reputations. COINTELPRO created a climate of fear and mistrust among activists and was deemed an abuse of power.

Americans have a constitutional right to privacy.

The Fourth Amendment to the United States Constitution is a fundamental part of the Bill of Rights that protects individuals from unreasonable searches and seizures by the government. This protection extends to individuals’ homes, personal property, and private information. To obtain a search warrant law enforcement must demonstrate to a judge that there is a reasonable basis to believe that a crime has been committed and that evidence related to that crime can be found in the place they want to search. Unfortunately, this protection hasn’t always been afforded to citizens when their phones were cracked by police without a warrant.

Constitutional and Legal Protections Against Cellebrite Tools

The constitutional and legal framework provides robust protections against the misuse of digital forensic tools like Cellebrite. Ongoing legislative actions and advocacy efforts are crucial in ensuring that these tools are used responsibly and in compliance with privacy rights. New laws and policies continue to evolve to address emerging privacy concerns and enhance oversight and accountability in the use of digital forensic technology.

Several legislative bodies are working to regulate the use of digital forensic tools. For example, California’s Assembly Bill 1399 mandates that law enforcement must obtain a warrant to access data from digital devices. This reflects a broader trend towards stricter controls on digital searches. Efforts like the proposed Fourth Amendment Is Not For Sale Act seek to limit the ability of law enforcement to access personal data without proper legal procedures, addressing concerns about the misuse of digital forensic tools. Some recent legislative protections include:

• California Consumer Privacy Act (CCPA): While not exclusively about digital forensic tools, the CCPA provides broad privacy protections and influences how data can be accessed and used, including by forensic tools.
• New York’s Digital Bill of Rights: Recent legislation in New York aims to protect digital privacy and regulate how data, including that accessed by forensic tools, can be collected and used.
• Regulations on Data Access: Some jurisdictions have introduced specific regulations governing how law enforcement can use forensic tools to access digital data, ensuring that such access is done with proper authorization and oversight.

How to Protect a Phone Against Unauthorized Access and Cracking Tools

Despite the constitutional and legislative protections against misuse of tools like Cellebrite, the best defense against access to your phone is good security measures. 

To protect your phone from unauthorized access and cracking tools like Cellebrite, use a combination of strong passcodes, encryption, and regular updates. Enhance physical security, adjust settings to disable unnecessary access points, and use security apps and features to bolster protection. Regularly review and adjust your security practices to address new threats and ensure your phone remains secure.

8 Steps to Secure Your Phone Against Cracking

1. Strong Passcodes and Authentication

• Long and Complex Passcodes: Use a long passcode with a mix of numbers, letters, and special characters. Avoid simple or easily guessable codes.
• Two-Factor Authentication (2FA): Enable 2FA for accounts and services associated with your phone. This adds an extra layer of security beyond just the passcode.
• Biometric Security: Use biometric features like fingerprint sensors or facial recognition to add an additional layer of protection.

2. Data Encryption

• Full Disk Encryption: Ensure your phone’s data is encrypted. Both iOS and Android devices offer full disk encryption, which protects data from unauthorized access.
• Secure Backup: Encrypt backups of your data. Most backup solutions offer encryption options that should be enabled.

3. Lock Screen Security

• Auto-Lock and Timeout: Set a short timeout for the auto-lock feature so that the phone locks quickly when not in use.
• Disable Lock Screen Notifications: Prevent sensitive information from being displayed on the lock screen by adjusting notification settings.

4. Operating System and Software Updates

• Regular Updates: Keep your phone’s operating system and apps updated to protect against known vulnerabilities and security exploits.
• Patch Management: Apply security patches and updates promptly to address any security weaknesses.

5. Secure Your Device Physically

• Device Location: Use tracking features like “Find My iPhone” or “Find My Device” to locate your phone if it’s lost or stolen.
• Physical Security: Keep your phone in a secure location and avoid leaving it unattended in public places.

6. Security Settings and Apps

• Disable USB Debugging: On Android devices, disable USB debugging to prevent unauthorized access via USB connections.
• Use Security Apps: Install reputable security apps that offer additional protection features such as anti-malware and intrusion detection.

7. Handle with Caution

• Beware of Phishing: Avoid clicking on suspicious links or downloading unknown attachments that might compromise your phone’s security.
• Secure Connections: Use secure Wi-Fi connections and avoid public Wi-Fi networks for sensitive transactions.

8. Emergency Measures

• Remote Wipe: Enable remote wipe capabilities to erase data from your phone if it’s lost or stolen.
• Lockdown Mode: On some devices, you can use a lockdown mode to quickly disable biometric authentication and secure your phone.

Thomas Crooks’ Samsung phone was fairly new, keeping the local FBI office from cracking through the passcode. But once experts used unreleased Cellebrite tools and received technical support, the security was easily bypassed.

The lesson is that no amount of security can protect a phone’s contents from the most advanced cracking tools, so criminals be warned!

For the rest of us, good security may prevent unauthorized, warrantless access by police, ensuring our constitutional rights to privacy is protected.

Conclusion

The Thomas Crooks case has vividly demonstrated that no matter how secure we believe our personal devices to be, vulnerabilities exist that can be exploited by advanced forensic tools. The ease with which the FBI accessed Crooks’ phone using Cellebrite’s technology challenges the assumption that our smartphones are impervious to intrusion.

This case underscores the critical balance between empowering law enforcement with the tools necessary to investigate crimes and protecting individual privacy rights. While digital forensic tools like Cellebrite’s UFED are invaluable for solving serious criminal cases and ensuring justice, they also present significant risks if used improperly or without adequate oversight.

Legal frameworks and public advocacy play pivotal roles in maintaining this balance. Laws and regulations, such as California’s Assembly Bill 1399 and the Fourth Amendment Is Not For Sale Act, are essential for ensuring that forensic tools are used in a manner that respects privacy and civil liberties. Ongoing legislative efforts and oversight are crucial in adapting to the rapidly evolving field of digital forensics, ensuring that technological advancements do not come at the expense of fundamental rights.

Looking to the future, the challenge will be to continue refining legal protections while embracing technological innovations. As digital forensics tools become more sophisticated, it is imperative that privacy protections evolve concurrently, safeguarding individuals from unwarranted invasions of privacy and maintaining public trust in the justice system. Balancing these concerns will be crucial in fostering a society where technological progress and individual rights are not at odds but are instead harmoniously integrated.