Hacker Dumps iOS Cracking Tools Allegedly Stolen From Cellebrite (vice.com) 86
Last year, when Apple refused to unlock the security on an iPhone 5c belonging to the San Bernardino shooter, the FBI turned to an Israeli mobile forensics firm called Cellebrite to find another way into the encrypted iPhone. Now Motherboard reports that a hacker has released files allegedly from Cellebrite that demonstrate how cracking tools couldn't be kept private. From a report: Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools." The ripped, decrypted and fully functioning Python script set to utilize the exploits is also included within," the hacker wrote in a README file accompanying the data dump. The hacker posted links to the data on Pastebin. It's not clear when any of this code was used in the UFED. Many of the directory names start with "ufed" followed by a different type of phone, such as BlackBerry or Samsung. In their README, the hacker notes much of the iOS-related code is very similar to that used in the jailbreaking scene -- a community of iPhone hackers that typically breaks into iOS devices and release its code publicly for free.
piracy is not theft (Score:2, Insightful)
Repeat the meme!
piracy is not theft
piracy is not theft
piracy is not theft
Software cannot be stolen!
Re: (Score:1)
Software can be stolen since you can find it in stores in physical format.
Of course that's not what the article is talking about.
Re: (Score:2, Insightful)
Arson isn't theft either, but it's possible to set a car on fire. Are you telling me that this means cars cannot be stolen?
Re: (Score:1, Insightful)
What do you mean by "in that case"? I'm talking about finding a car that is not yours and taking it away without permission from the owner. That is not vandalism, that's theft.
But it's theoretically possible to douse the car with petrol and set it alight instead. That would be arson, not theft - in your very own words "a totally different crime". And yet theft of cars still exists. The fact that arson is not theft doesn't mean cars can't be stolen. That's the point I was making.
Now GP is claiming that "pira
Re: (Score:2)
Re: (Score:2)
software can be stolen, if you actually ever own the software... otherwise its just a licensing issue? right!!
Re: (Score:2)
Repeat the meme!
piracy is not theft piracy is not theft piracy is not theft
Software cannot be stolen!
https://torrentfreak.com/image... [torrentfreak.com]
Re: (Score:2)
The depravation of property is only one definition of the term "theft"
You are glomming on to that facet of the definition and pretending that the word has no other meaning.
Definition of theft
a. The act of stealing; specifically the felonious taking and removing of personal property with intent to deprive the rightful owner of it
b. An unlawful taking (as by embezzlement or burglary) of property
Also, note the wording "intent to deprive" in the first meaning. That doesn't mean you DID actually deprive the rightful owner only that you intended to.
Re: (Score:2)
Both of those definitions involve leaving the victim without the property. If I find my way into your private FTP directory and download everything, what do you find missing when you next connect to it?
In that scenario, what I did is more easily mapped to trespassing than theft.
Re: (Score:2)
If I make software or something distributed digitally every time someone illegally aquires and uses or distributes a copy that is used I have been deprived a copy I "could" have sold. Their intent was to take and use the copy with out purchasing it. Despite what ever reason they where unwilling to purchase it they did want the copy enough to steal it and use it which means they may have purchased it in the future should circumstances have changed.
Re: (Score:2)
Repeat the meme!
...
Repeat until you're blue in the face. Still doesn't make it true.
Awesome site (Score:1)
Your tax dollars at work. (Score:5, Interesting)
In their README, the hacker notes much of the iOS-related code is very similar to that used in the jailbreaking scene -- a community of iPhone hackers that typically breaks into iOS devices and release its code publicly for free.
Remind me again, how much did the FBI pay Celebrite to get into that single iPhone 5c again?
Re:Your tax dollars at work. (Score:5, Insightful)
One significant difference between the tools jailbreakers use versus Cellebrite's: The recent jailbreaks for iOS require that you run them on an unlocked phone. Additionally, every jailbreak I've used has required me to install an app onto the phone, and then run it from there.
I would be curious to see exactly how the Cellebrite tools get around this, even on an older iPhone.
Re: (Score:2)
Well, part of the reason for the app is to install the untethered jailbreak. Cellebrite doesn't need untethered jailbreaks - a tethere
No link? (Score:1)
Where is the link to the torrent?
Re: (Score:1, Interesting)
You can get it here [magnet].
Not sure how I feel about this. (Score:2)
OTOH, they've intentionally made the private data of many users of this privacy/encryption scheme less secure - not only from the US government and Cellbrite, but now from all who would know what they saw fit to hide, whether nefarious or banal.
I've already had half a fifth of whiskey tonight . . . Help me out here, Slashdot. A/
Re: (Score:2)
Re: (Score:2)
I've already had half a fifth of whiskey tonight . . . Help me out here, Slashdot. A/C's need not apply.
Half of a fifth of a whiskey? so'eh, 1/10th of a whiskey?!?
Re: (Score:2)
I've already had half a fifth
So: a tenth. Go metric already! Come to think of it, 750ml bottles are sometimes referred to as a "metric fifth", this is probably the bottle your whiskey came in. Looking at my own bottles of whisky I can't help but noticing that they are all 700ml. What gives? It would not surprise me one bit if our government is behind this, withholding an additional "angels' share" for themselves. Probably for the benefit of Juncker. Hmm. I better have another one.
Give that man a cigar! (Score:1)
Now let's get to work on getting Trump's tax returns.
The whole "demo" thing is wrong (Score:1)
As FBI asked for for signed executable that could have checked serial number of the phone and would have been useless on other phones.
Told you so (Score:5, Insightful)
This is exactly what I and everyone else was saying at the time about the FBI case. If an exploit was developed for one phone it would be used for all phones and it would eventually leak out into the Internet. I expect each and everyone who said I was wrong about this issue to make a formal apology.
Re: (Score:1)
Behaves of all of internet.
We are sorry.
We should have listened to you.
Won't happen again.
A.Non.Ymous
Isn't this kinda the opposite of what you said? (Score:2)
If
Re: (Score:2)
It wouldn't have mattered if Apple had developed it or not. FBI employees would have had access to the tool and probably common police officers later down the lane. It would just have been a matter of time before it got leaked into the Internet, because it only takes a single mistake or one rogue agent and the cat is out of the bag.
Who stole it first..? (Score:2)
"Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite...some of which may have been copied from publicly available phone cracking tools..."
Well, that's some creative irony labeling a hacker as the thief, since it would appear Cellebrite favors "borrowing" code to create a product to sell to the highest taxpayer-funded bidder...
Re: (Score:2)
... it would appear Cellebrite favors "borrowing" code to create a product to sell ...
If some of this code is GPL'd or similar, there is likely cause to sue, which at the least, should see the (legal) release of all source code. I'm sure even Microsoft, who has acquired Cyanogen, could sue for a monetary sum due to unfair competition and breach of licence.
It is also possible that the open-source community can ask the judge to subpoena the code of other products from the company for an audit into code that should be similarly released.
Re: (Score:2)
If the code is never distributed, GPL does not have an effect.
Very good point.
Do we know if Cellebrite have merely provided a service or have in fact sold or licensed their wares? And, if this is an unknown, would the facts of the case be sufficient to also subpoena the details of the arrangement?
Re:Who stole it first..? (Score:5, Informative)
You misunderstand the GPL.
I doubt that I am misunderstanding the GPL as my livelihood depends on it.
I may be misunderstanding the terms of the situation or not adequately explaining myself.
It is my understanding that Cellebrite have distributed, through a sale or a lease, this software to law enforcement agencies on multiple ocassions. I may in fact be wrong and Cellebrite may have simply provided a service to decrypt the phones themselves - though this would break the chain of custody and create unreasonable liability. Your argument of internal use exemption would apply in the latter case.
According to Cellebrite's Wikipedia entry, it appears that they are indeed marketing and selling this as a product - distributing the software to law enforcement around the world.
Re: (Score:2)
Re: (Score:2)
Don't the people who the software has been distributed to get to require the source code?
Besides the point that this was purchased with Public monies:
(from GNU's GPL FAQ [gnu.org]
Does the GPL require that source code of modified versions be posted to the public?
No. Only to the users.
Does the GPL allow me to require that anyone who receives the software must pay me a fee and/or notify me?
No. You can charge people a fee to get a copy from you. You can't require people to pay you when they get a copy from someone else.
What does “written offer valid for any third party” mean in GPLv2?
P
Re: (Score:2)
Don't the people who the software has been distributed to get to require the source code?
Yes. Code must be distributed with the software OR a written offer to provide the code must be distributed with the software.
Any person who has the software may then freely re-distribute it for a fee or for free. In this case, the written offer must still be honoured by the developer.The GPL renders it not illegal nor immoral to "leak" the software and every copy is legitimate. Hacking would still be a crime if it occurred but the copies would be legitimate.
My argument is: If Cellebrite have distributed sof
pastebin link? (Score:1)
Where is the pastebin link? Why don't we get the primary source for this story? :(
Re: (Score:1)
http://pastebin.com/y9P19guS
but download links are already dead...
Re: (Score:3)
Does this mean? (Score:3)
I don't need that god awful piece of shit iTunes to manage content on my phone? I mean the main window has a sync button. I add files to my library and click sync but it never copies the files. Only when you click on the tiny phone button on the toolbar and then look at the storage space breakdown does a second sync button show up. This is what actually copies files to your phone. What the fuck Apple?
Oh and say I don't like Apple's default media player. In order to use a third party app I have to enable file sharing with that app, and copy my files over to it. That means I need to delete my iTunes library or else everything is copied to the phone TWICE. Again, what the fuck?
Re: (Score:2)
I don't need that god awful piece of shit iTunes to manage content on my phone? I mean the main window has a sync button. I add files to my library and click sync but it never copies the files. Only when you click on the tiny phone button on the toolbar and then look at the storage space breakdown does a second sync button show up. This is what actually copies files to your phone. What the fuck Apple?
I feel like you're doing something wrong here. Isn't the default action of iTunes to automatically sync the device when you plug it in? You have to go to the prefs and explicitly disable that function. As far as your music library goes, in it's original configuration, I do not think iTunes is going to sync new files automatically -- unless you have it set to sync your entire library. Few people would be doing that as most have music libraries too large to sync, or large enough they would not want to dedicat
Re: (Score:2)
I feel like you're doing something wrong here. Isn't the default action of iTunes to automatically sync the device when you plug it in?
Clicking that main sync button only syncs phone data, not media. Why, I have no idea.
If you aren't interested in using iTunes as your media player, why are you adding the files to iTunes's music library to start with? Just add them with your third-party player and leave them off iTunes. If the third-party player can't read the phone's iTunes library files, and doesn't have an automated way of loading tracks to the device, it sounds like a lousy player. And going back to my previous paragraph, iTunes adding the music files to your phone and causing things to duplicate is something you've done wrong in your original device configuration.
I was talking about the media player on the phone. On my PC I use Winamp. iTunes is the only way to copy files to the phone. I don't like the media player on the phone so I downloaded a third party one. The only way it sees files is to enable sharing with iTunes and copy the files in specifically for that app. It won't play what already exists on the phone. That is how Apple locks things down. Yead you
I use an Android handset myself. But I have my music library in iTunes on Windows (because of my old iPod), and the files are synced to my NAS on an automated schedule (it's running right now, in fact). There on the NAS, the files are accessed for playback through 1) a generic DLNA server, 2) Plex, and 3) Subsonic. I have a third-party Subsonic app on my phone, which is what I use to load/play back my own music library on the device instead of manually copying files. The Subsonic client can natively playback all but one format of music from my synced iTunes library, and that's the old 128 kbps DRM iTunes Music Store files, which I have a handful of. It plays back the CDs I ripped in AAC (.m4a), the WAV files, even the Apple Lossless files, all without transcoding. But I can configure the Subsonic server to transcode the high-bitrate lossless files on-demand for streaming specifically on the phone's player. This way, the download usage/storage for the phone is much lower. I have the phone's client set to only download over wi-fi, but I paid the piddly $12/year fee for Internet access on my Subsonic install. So I can load and playback any file from my Subsonic server from any wi-fi connection. I don't really have to plan what music I want on my phone unless I'm going to go on a walk, since I can get whatever I want otherwise. If I was willing to pay for a cellular data plan even that would not matter. Oh, and the client has a setting to automatically load new files that have appeared in the library since the last sync, without me having to set up a Smart Playlist-style trick.
I was an Android user
Breaking & Entering, Illegal access (Score:1)
If someone enters your home or business while you're away, goes through your file cabinet, takes pictures of every document, then leaves without disturbing anything, it's still illegal. The only exception is if your government does it then it's just called surveillance. Double standard hypocrisy. If I remember correctly we had a President that was impeached for ordering exactly that. There should be no legal difference between data on your device, in a briefcase, or in your file cabinet.
The old slashdot (Score:1)
Would have posted the link to actual hacking tools
The new slashdot just constantly links to vice.com for 60% of it's daily content.
Imagine if vice.com suddenly went out of business? Slashdot would have no content to post! All they would have is Rothschild Global warming FUD stories to post all day.
Link to dumps (Score:4, Informative)
Link to dumps [pastebin.com]
Release 1 - the supply chain - a backdoor with backdoors.
In this release find a small sample of the 900GB of mere 'user accounts and basic contact
information' recently liberated from Cellebrite.
The exploit techniques that Cellebrite employ are wrapped in various encryption schemes .eas (DLL designed to target devices and applications) and .epr
in an attempt to protect 'their' intellectual property. The custom routines for
decrypting this lame ass protection are included in this release along with an
accompanying sample
(bootloaders, exploits and shellcode) files.
The more discerning eye will notice that some of the Apple exploits bear a remarkable
resemblance to those available to any teenager interested in the jailbreaking scene;
perhaps not all those tax dollars have been wasted, the Blackberry epr is still worth
a look at.
The ripped, decrypted and fully functioning python script set to utilize the exploits
is also included within.
Download links:
https://mega.nz/#!sZUkSbDT!l74... [mega.nz]
https://mega.nz/#!0d9zBQLI!DdK... [mega.nz]
Coming soon.....
Release 2 - watching the watchers - pivot to win.
In this release find a small sample of files retrieved via the weaponized Cellebrite
update service deployed on MS Windows based devices and desktops (SYSTEM privs) within
the customer infrastructure.
Analysis of the compression and obfuscation employed by Cellebrite on products supplied to
British MOD juxtaposed with the protection free versions supplied to SOCOM and others is
also included within.
@FBI Be careful in what you wish for.
Re: (Score:2)
links are dead ;( any workign ones ?
Google "Backdoorz". Expecting a re-release in the next few days. Hopefully on Pastebin but may be elsewhere.>/p>