Russian authorities used forensics firm Cellebrite’s technology to hack into the phone of a prominent political opponent while he was in prison — even after the company said it had cut ties with Putin’s government agencies. new report It raises new questions about whether Western tech companies can really control how their tools are used once they’re in the wild.
The case is a cautionary tale for any technology company that sells to governments. Cellebrite, an Israeli outfit with its second headquarters in Virginia that sells to governments around the world — including in the United States — He declared that he would stop providing hardware and software to Russia. Apparently it didn’t follow through, or couldn’t.
Researchers at The Citizen Lab, a digital rights group based at the University of Toronto, say they have found evidence that an investigative unit of the Russian government used a phone-hacking tool developed by Cellebrite to hack into the iPhone of local human rights dissident and opposition politician Andrey Pivovarov in June 2021.
It was Cellebrite three months before this hack announced it will “immediately” stop selling its technology to Russian government customers. On the official Cellebrite website claims Starting in March 2021, when it cuts ties with Putin’s government, the company “may stop the device from working or receiving software updates.”
In this case, it’s not clear why that didn’t happen, and the episode exposes an uncomfortable truth about surveillance technology, which is that once powerful hacking and surveillance technologies reach the wrong customer, they’re not so easy to reverse. Tools proliferate, are abused, and can continue to be abused, often after the company that makes them has washed its hands of the customer.
“It’s not surprising, and (it’s) the result of Cellebrite’s policies,” said Eitay Mack, an Israeli human rights lawyer who has long campaigned against surveillance technology makers like Cellebrite and spyware maker NSO Group.
Contact us
Want to learn more about Cellebrite? Or about how Cellebrite’s customers abuse its technology? We would love to hear from you. You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device and network by calling +1 917 257 1382 or via Telegram and Keybase @lorenzofb. e-mail.
Mack argued that the suspension of sales and even the revocation of the software license did not prevent a former Cellebrite customer from abusing the company’s technology. Mack also noted that Cellebrite refuses to say whether it asks customers to dismantle the hacking tools it sells them, a critical loophole that its announcements of broken links do not address.
Mack added that even after the company stopped supporting the customer and possibly revoked its software license, former customers could still be abusing Cellebrite’s phone unlocking tool, called UFED. In theory, this should make the company’s devices less useful.
John Scott-Railton, senior scientist at Citizen Lab, told TechCrunch that Cellebrite “should also remotely disable deployments after credible reports of abuse and end the cycle of plausible deniability by enforcing cryptographically signed watermarks on all described devices.” Simply put, Cellebrite needs to be able to remotely brick when its tools are being misused, and it needs to create a kind of digital fingerprint so that any data mined by its technology can trace what specific device was used.
Cellebrite sells hardware devices designed to unlock and jailbreak cell phones connected to them. Over the years, researchers have documented cases of the company’s customers using its technology against dissidents, human rights activists and journalists in Hong Kong, Kenya and Jordan. In response to some of these findings, it cut ties with Cellebrite Bangladesh, China and Hong Kong, Myanmarand Serbia.
Cellebrite’s chief marketing officer, David Gee, said in an email to Citizen Lab, which he shared with TechCrunch, that the company “ceased all sales and services to the Russian Federation in March 2021, terminated existing licenses, and immediately began canceling all legal contracts. Any use of legacy Cellebrite equipment in Russia is completely terminated after March.”
Gee, as well as Cellebrite spokesman Victor Cooper, did not respond to a series of specific questions sent by TechCrunch.
In Pivovarov’s case, Citizen Lab researchers said they were able to find forensic evidence that his phone was jailbroken with Cellebrite UFED after Russian authorities detained him and confiscated his iPhone 12 and MacBook in May 2021.
Pivovarov also shared with the researchers the court document he received as part of the criminal prosecution. In it, the Russian government’s Center for Criminal Expertise detailed that Cellebrite used UFED to hack his phone, saying authorities used UFED to extract information including WhatsApp and Telegram messages. They also searched the phone for political terms as well as the names of opposition figures, which included what researchers described as alleged hacking campaigns by the Russian government.
Pivovarov was the director of the currently active opposition group “Open Russia”. He then he was convicted before four years in prison He was released in August 2024 as part of prisoner exchange Between Russia and Western countries, Wall Street Journal reporter Evan Gershkovich was also released.
The Russian embassy in Washington did not respond to a request for comment.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
