GoKawiilRussian authorities hacked into the phone of a prominent political opponent while he was in custody, using technology made by forensics firm Cellebrite — even after the company had said it cut ties with Putin’s government agencies, according to a new report that raises fresh questions about whether Western tech companies can truly control how their tools are used once they’re in the wild.
The case is a cautionary tale for any technology company that sells to governments. Cellebrite, an Israeli outfit with a second headquarters in Virginia that sells to governments all over the world — including in the U.S. — had announced it would stop providing hardware and software to Russia. It apparently didn’t, or couldn’t, follow through.
Researchers at The Citizen Lab, a digital rights group based at the University of Toronto, said they found evidence that a Russian government investigative unit used a phone hacking tool made by Cellebrite to break into the iPhone of local human rights dissident and opposition politician Andrey Pivovarov in June 2021.
Three months before that hack, Cellebrite had announced that it would “immediately” stop selling its technology to its Russian government customers. On its official website, Cellebrite claims that as of March 2021, when it cut ties with Putin’s government, the company “can stop the device from functioning or receiving software updates.”
It’s unclear why that didn’t happen in this case, and the episode exposes an uncomfortable truth about surveillance tech, which is that once powerful hacking and surveillance technologies reach the wrong customer, clawing them back isn’t so easy. The tools proliferate, get abused, and can keep getting abused, often long after the company that made them has washed its hands of the customer.
“It’s not surprising, and [it] is the result of the policies of Cellebrite,” said Eitay Mack, an Israeli human rights lawyer who has long campaigned against surveillance technology makers like Cellebrite and spyware maker NSO Group.
Contact Us Do you have more information about Cellebrite? Or about how Cellebrite’s customers are abusing its tech? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or . Do you have more information about Cellebrite? Or about how Cellebrite’s customers are abusing its tech? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email
Mack argued that ceasing sales, and even revoking a software license, doesn’t stop a former Cellebrite customer from abusing the company’s technology, as this case demonstrates. Mack also pointed out that Cellebrite refuses to say whether it asks customers to dismantle the hacking tools it sold to them, a critical gap that its own cut-ties announcements don’t address.
This case, Mack added, suggests that former customers can still abuse Cellebrite’s phone-unlocking tool, dubbed UFED, even after the company stops supporting the customer and presumably revokes its software license. In theory, that should make the company’s devices less useful.
John Scott-Railton, a senior researcher at The Citizen Lab, told TechCrunch that Cellebrite “should also remote-disable deployments following credible reports of abuse, and end the era of plausible deniability by implementing cryptographically-signed watermarks on all imaged devices.” In plain terms, Cellebrite should be able to remotely brick its own tools when they’re being misused, and it should build in a kind of digital fingerprint so that any data extracted with its technology can be traced back to which specific device was used.
... continue reading