Turns Out Banks Use Cellebrite Phone Cracking Tech Too

This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

The biggest customer base for phone cracking technology is likely law enforcement: cops who need to circumvent passcodes on seized devices, and extract data like SMS, emails, and more from mobile phones.

But this sort of tech is also in the hands of banks. It's perhaps common knowledge within information security circles, though the wider public is probably much less aware that private companies, which will have different forms of oversight than the police, use phone cracking products to conduct their own investigations.

"The larger banks have internal fraud and investigation teams. Just like an external consulting team," Jon Rajewski, director and principal investigator at the Senator Patrick Leahy Center for Digital Investigation told Motherboard in a Signal message.

One of the most popular mobile phone forensics companies generally is Cellebrite, an Israeli firm that has law enforcement customers all over the world. Cellebrite's flagship device, the Universal Forensic Extraction Device (UFED), can pull data from thousands of different mobile phone brands and versions.

According to Cellebrite customer support messages, several banks have purchased and use UFEDs. These messages were included in a 900GB cache of material obtained by Motherboard from a hacker.

"Dear Support, I am having some issues connecting to a standard non-security protected Samsung Galaxy S GT-I9001," reads a 2012 message from a UK Barclays Bank computer forensic investigator. According to this employee's LinkedIn profile, at the time of the message he was responsible for recovering, reporting, and analysing digital evidence related to investigations.

The cache also includes a 2012 message from an investigator at TD Bank, as well as a 2011 message from a senior member of Bank of America's "cyber forensic investigations" team. The Bank of America message was related to extracting passcodes from mobile phones.

Why would banks need phone cracking devices, anyway?

"A lot of different types of companies do their own internal investigations," Jon Zdziarski, a forensic scientist, told Motherboard in a Signal message. "For example a sexual harassment claim that took place using employee equipment. Not something for the police to deal with, but an internal team. Or fraud sure."

For its part, Cellebrite requires customers to present a court order or other form of authorization in order to use its dedicated iPhone unlocking service. And when police want to search a device, they may need to obtain a warrant to do so. But when a company is running its own internal investigations, does that leave more room for potential abuses?

"Ethics is always important," Rajewski said. "Scope of search is key. So with law enforcement they are allowed to search for X, Y and Z. In private industry, it comes down to a few things. Who owns the device. What is the Acceptable Use Policy and which country the device is in."

Zdziarski, the forensic scientist, added, "They [company investigators] legally can't search personally owned equipment without consent."

According to the Barclays Bank computer forensic investigator's LinkedIn page, he had to ensure that all staff follow relevant standards and requirements during investigations. It is not clear what those standards are, however.

Barclays Bank and TD Bank declined a request for comment from Motherboard, and Bank of America did not respond.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.