The reliability of information gleaned from thousands of mobile phones analysed by Police Scotland could be called into question after analysis software it uses was apparently hacked.
Police Scotland uses specialist forensic analysis technology provided by a company called Cellebrite to help analyse thousands of mobile phones each year.
Cellebrite products help officers to gather data from mobile phones through ‘kiosks’. These allow officers to connect to almost any kind of mobile phone to look at the texts, photos, videos, and other data on it.
But now campaigners have called on Police Scotland to restrict the use of Cellebrite technology after new claims of serious security flaws in its software prompted an internal investigation.
The firm is popular with law enforcement agencies globally and boasts that its “physical analysers” can break the security protections provided by mobile phone manufacturers as well as encryption on hundreds of different apps that may be installed on them.
In 2017, The Ferret published details of the process used by Police Scotland and the range of apps that Cellebrite claimed it could analyse at that time.
The Israeli firm has been criticised in the past for selling its technology to regimes with poor human rights records.
The technology has long been controversial in Scotland too.
Police Scotland use of Cellebrite “kiosks” has been the focus of intense scrutiny. This included a probe by a Holyrood Committee, after it emerged the force had spent more than £1m on Cellebrite equipment without fully considering the privacy or human rights implications of using it.
On 21 April 2021, Moxie Marlinspike, CEO of the non-profit organisation that develops the popular encrypted messaging app Signal, published a blog post where he claimed to have identified significant security failings in the Cellebrite software.
He claimed: “It’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data).”
The coder concludes: “This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.”
He also claimed that the security firm may be using copyrighted Apple software without permission, exposing their customers to further risk.
Although the Cellebrite software flaws have not been independently verified, a Privacy International (PI) UK analyst has warned that there could be serious implications for any evidence gleaned from phones by law enforcement agencies using the Cellebrite technology.
Analyst Ed Geraghty said: “Regardless of malice, given otherwise innocuous files are able to cause — apparently arbitrary — effects on Cellebrite’s Physical Analyser, it can no longer be relied on to provide evidence fit for a Court of Law.
“PI has raised repeated concerns about police use of Cellebrite’s Physical Analyser, particularly the routine use of intrusive, untargeted ‘mobile phone extraction kiosks’ against victims and even witnesses of crimes.”
Police Scotland has sought to train hundreds of officers to use the Cellebrite kiosks in a bid to tackle a backlog of electronic devices that require forensic analysis.
However rights groups have consistently raised concerns over the potential for intrusive digital searches to gather far more detail on people’s lives than necessary.
Heather Burns, policy manager at the Open Rights Group, sits on the Scottish Government’s independent advisory group on emerging technologies in policing.
She said: “The fact that these technologies are buggy and appear to disregard software licences of other vendors should concern the Police. It points to short cuts in product development.
“We have asked Police Scotland through their advisory panel to explain what procuedures they have for assessing such software for security and reliability.
“We appreciate the openness that Police Scotland is providing with their advisory panel and hope that this will be used to have an open dialogue about these concerns.
“While we understand that Police Scotland do not use the technology evidentially, which is the biggest area of risk, other authorities do. Police Scotland should therefore not consider extending the use of this software while these issues are unresolved.”
A Police Scotland spokesperson said: “Police Scotland is liaising with Cellebrite and other partners to fully understand any implications this may have for the service and what mitigation measures, if any, are required.”
A spokesperson for Cellebrite said: “Cellebrite is one of the most trusted names in the industry having served the law enforcement community and private enterprise for more than 14 years.
“We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound.
“Cellebrite understands that research is the cornerstone of ensuring this validation, making sure that lawfully obtained digital evidence is utilized to pursue justice.
“We will continue to integrate these standards in our products, software, and the Cellebrite team, in order to deliver the most effective, secure, and user friendly tools for our customers.”
Photo credit: iStock / ipopba