It’s likely Cellebrite wants to keep its methods in-house, fearful of another intervention like the Signal one last year…

Background

Cellebrite sells both hardware and software designed to unlock smartphones and extract the data stored on them. Originally the company sold only to law enforcement agencies, but it later expanded into the private sector.

Its business was significantly disrupted last year when secure messaging service Signal managed to get its hands on the company’s kit. It managed to crack the software and work out how to place a file on an iPhone that would prevent data-extraction.

Cellebrite did quickly manage to find a workaround for this but is clearly afraid of a similar thing happening again.

Cellebrite kit can’t unlock iPhones

An infosec company that uses Cellebrite kit has told us that the software cannot currently unlock iPhones or later Android phones.

However, it’s not that the company doesn’t have the capability to do so – it’s just that it doesn’t want to risk another Signal-type incident of someone cracking and blocking the methods it uses.

If you want to unlock an iPhone, you have to send it to the company, paying a fee of $4k per device. The company calls this Cellebrite Advanced Services, or CAS. While the company’s website implies that CAS is limited to law enforcement agencies, we’re told that private sector customers can also use it.

Kit still extracts data from unlocked phones

The kit can still perform full data extraction from unlocked iPhones. In some cases, law enforcement will persuade suspects to unlock their phones, or obtain court orders. Private companies may also get the cooperation of the phone’s owner if they are using it for legitimate purposes – for example, to ensure that employees are complying with IT security requirements on company phones.

We learned yesterday that the company has more than 2,800 US government customers, including many police departments.