When Canadian cops need to break into an encrypted cellphone, they use this technology
As the RCMP tries to convince the public that phone encryption is hobbling its investigations, new documents obtained by VICE News show that the federal police agency already has the ability crack encrypted and locked cellphones without help from the owner or the manufacturer.
The records, obtained via access to information request, show that the RCMP’s British Columbia branch just renewed its license for the Cellebrite Touch Ultimate.
That device, according to the documents, “enables the most technically advanced extraction, decoding, analysis, and reporting of mobile data. It performs physical, logical, file system, and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets, and phones manufactured with Chinese chipsets.”
The cost of the renewal, dated February, 2016, was redacted from the documents. The records show that they were sent out to both the B.C. division of the RCMP, and the local RCMP detachment in Nanaimo. Other contract documents suggest that, for the Cellebrite device and an enclosure in which police can hack the phone — one that blocks all outside cell, Wi-Fi, and other signals — the total cost was just above $90,000.
The police went through TEEL Technologies Canada, the Canadian distributor for Israel-based Cellebrite, to buy the technology.
Cellebrite has become a handy tool for investigators worldwide. And there’s good reason. The company recently reported that their devices can even extract user data from Pokemon Go.
— Cellebrite Forensics (@Cellebrite_UFED) August 15, 2016
In San Bernardino, California, the FBI reportedly went to Cellebrite after Apple refused to help them crack the iPhone of two terror suspects.
While it’s not exactly a secret that the RCMP uses Cellebrite — the only public admission from the force is a testimonial posted to the Cellebrite website by an RCMP officer, lauding the technology and saying his team uses it “every day” — the federal police have otherwise been publicly silent about the phone-hacking technology.
VICE News has followed the RCMP’s surveillance powers closely. Last April, VICE News and Motherboard reported how the RCMP obtained BlackBerry’s global decryption key. More recently, we’ve covered how the force deploys phone-tracking hardware, how they’ve been trying to keep it secret, and how they’ve worked to build a “new public narrative” to obtain even more powers.
The RCMP refused to address their use of Cellebrite technology for this story, just as they have refused to address questions on other stories regarding their sensitive investigative techniques.
“We generally do not comment on specific investigative methods, tools and techniques outside of court,” an RCMP spokesperson told VICE News over email.
Staying mum on their current techniques hasn’t stopped the force from launching a public relations campaign on the problem of encryption — dubbed “going dark” — aimed at getting new powers, however.
In a five-part series where the RCMP made a public case for those new powers, the federal police provided a summary of an ongoing investigation to the Toronto Star and CBC where a locked phone thwarted their efforts to solve a child abuse case. “The phone is locked by a pass code and investigators have not been able to access the video,” the two outlets reported. “Police have no legal authority to compel the man to unlock his phone.”
That is exactly the sort of case where Cellebrite has come in handy for the RCMP.
In a sexual assault and child pornography case from this past April, an RCMP investigator had an iPhone 5 that was password protected. Corporal Gary Luk, of the Richmond, B.C. detachment of the RCMP, cracked it.
“Cpl. Luk explained that Cellebrite creates a mirror image of the data stored on a mobile device without altering the content of that information. This preserves the integrity of the data,” wrote a B.C. judge in a ruling pertaining to the case. The judge noted that Luk limited the search of the devices to the search warrant that authorized the use of the Cellebrite, and managed to obtain some 10,000 messages, as well as photos and video from the iPhone, and five other devices.
In another case, a drug investigation in Calgary, the RCMP used the Cellebrite device to extract call records, contacts, text messages, and images.
In the half-dozen court rulings where Cellebrite is mentioned by name, the RCMP managed to crack a variety of phone models — iPhone, BlackBerry, Sony, and LG.
But there are a variety of other cases where the nature of the RCMP’s phone-hacking prowess simply isn’t detailed in court.
In one Vancouver kidnapping case that wrapped-up in 2015, the RCMP cracked into three encrypted BlackBerry phones, and “GPS tracking information was extracted from the laptops and encrypted emails were extracted from the Blackberries and decrypted by the RCMP Technical Assistance Team.” The police also obtained text messages, including some messages that had been deleted by the users.
One of the RCMP officers involved in that case is the same officer whose signature appears on the invoice receipts for the Cellebrite technology sold to the RCMP’s B.C. division.
— Cellebrite Forensics (@Cellebrite_UFED) June 10, 2016
The RCMP, behind closed doors, appear to even recognize that existing technology can fix their ‘going dark’ problem — within the confines of existing laws.
Next month, Constable Frank Dudas of the RCMP’s Technological Crime Section, is slated to speak on a panel regarding the “cutting-edge solutions” for search warrants, especially for encrypted and locked smartphones, “to maximize technology investments and respect privacy rights within Canada.”
Dadas will be joined on that panel by Daniel Embury, a technical director at Cellebrite.
Ultimately, mention of this sort of technology appears nowhere in the federal government’s national security consultations, which were designed to give the public a voice in drafting new legislation that could authorize — or forbid — certain intrusive investigative techniques.
A backgrounder prepared for that consultation specifically mentions that “encryption challenges also apply to the court-ordered production of historical data, such as email, text messages, photos and videos from lawfully seized smartphones, computer hard drives and other digital devices,” and mentions such difficulties in the San Bernardino case.
The government consultation, however, fails to mention how police are already able to obtain and analyze such data.
Cover: via the Cellebrite Facebook page