A few hours ago the news broke: the government of Spain has bought 15 Cellebrite UFED Touch 2 analyzers. With this long name it may not attract attention, but in a nutshell they are devices that allow the extraction of information of some iPhone models. A tool that will now become part of the stock of the General Police Office for Immigration and Borders (CGEF).
Extract information, but only in some circumstances
For those who do not know, Cellebrite is an Israeli company specialized in selling tools to access information on electronic devices. The idea behind these expensive gadgets, worth more than 10,000 euros per device, is to be able to extract information from mobile phones, even if they are blocked.
The exact specifications of what information can be accessed and on which device models is not entirely clear even on the manufacturer’s website. In Cellebrite they state that the UFED Touch 2 that the government has bought allow access the information of 85% of the iPhones currently on the marketWhile the newer iPhone 12s are not mentioned among the possible targets of their technology.
The game of cat and mouse is the best analogy for understanding the world of data security. Security flaws are continually being discovered that can be used to access information and these faults are continually closed and protections are improved to prevent that access.
A couple of months ago the news broke that those in charge of Signal had had the opportunity to take a closer look at one of Cellebrite’s tools. As a result of the poor security of these devices, Signal was able to devise a system to make all data already collected or yet to be collected on one of those devices will be modified randomly without being able to even know if they had been modified. Faced with this situation, Cellebrite had to announce that it would stop offering information extraction from iPhones until they could guarantee its reliability.
An extraction with some asterisks.
In the end it is, as we have said, a tug of war between the need to protect the increasingly abundant information on our iPhone and being able to extract part of this information in certain situations. We do not know the security details that iOS 15 will incorporate when it is released to the public in a few weeks, nor do we know what security flaws Cellebrite may have up its sleeve to continue accessing information.
What we do know is that security experts are increasingly responsible for duly reporting to companies, such as Apple in the case at hand, the security flaws they discover so that they can be quickly solved. We also know that companies like Cellebrite rely on precisely those unreported security flaws to offer tools like the ones the government has bought. As we have already said: a game of cat and mouse.