Govt. iPhone Hacking Tools Are Being Sold on eBay for As Little As $100

Sophisticated iPhone hacking tools meant only for law enforcement are popping up on eBay for as low as $100, according to a new report.

Some of the tools available for sale on the retail site include devices made by Cellebrite, an Israeli data extraction company largely rumored to be the firm that helped the FBI break into an iPhone belonging to one of the San Bernardino shooters.

The U.S. government has been paying Cellebrite millions to break into Apple and Android smartphones. Now, some of Cellebrite’s tools are being bought and sold on eBay for between $100 and $1,000 a unit, Forbes’ Thomas Brewster reported.

That’s a steep discount from the usual price tag of $6,000 for comparable, brand-new models. But it also confirms something privacy advocates have worried about for a long time: these devices can very easily fall into the wrong hands.

Devices like Cellebrite’s UFED are meant only for government and law enforcement use, not by civilians or consumers. But Forbes points out that it now appears that police or other individuals who have access to the devices are reselling them instead of returning them to Cellebrite for decommissioning.

And those unauthorized resellers are also forgetting to properly wipe the data off of the Cellebrite machines. That means that sensitive data related to criminal cases, known smartphone vulnerabilities, and powerful hacking tools could be leaking out.

Security researcher Matthew Hickey recently bought about a dozen Cellebrite UFED devices, and found a wealth of extremely sensitive data about which devices have been hacked, and what data had been extracted. Potentially, the devices could even contain messages and contacts, though Hickey said he decided not to delve into that data.

As far as which devices it could hack, Hickey said there was evidence that the UFED had successfully broken into Samsung, LG, ZTE and Motorola devices. Hickey himself successfully bypassed security on iPhone and iPad models.

Cellebrite, for its part, isn’t happy about it. Forbes obtained a letter from Cellebrite warning that reselling its tools could open the door for private user data to be exposed.

Part of that may be because the firm has a vested interest in keeping the iPhone vulnerabilities it leverages away from third-parties — and Apple itself.

Apple routinely patches vulnerabilities and closes security holes. Last year, Apple did away with a vulnerability that allowed a similar hacking device called a GrayKey to break into iPhones.

The issue of iPhone hacking tools is a contentious one, as law enforcement entities struggle to bypass the encryption on devices and messaging platforms. Apple believes privacy is a human right, while some government entities take the exact opposite stance.

But, in lieu of legislation, police and government entities have increasingly taken to using hacking tools and services like GrayKey and Cellebrite. Unfortunately, the Cellebrite devices on eBay suggest that the more these devices become commonplace, the more potential for abuse there is.