Russian authorities hacked into the phone of a prominent political opponent while he was in custody, using technology built by forensics firm Cellebrite – even after the company said it had cut ties with Putin’s government agencies, according to new exhibition This raises new questions about whether Western tech companies can really control how their tools are used when out in the wild.
The case is a cautionary tale for any technology company that sells to governments. Cellebrite, an Israeli outfit with a second headquarters in Virginia that sells to governments around the world — including the US. — had announced that it would stop supplying hardware and software to Russia. Apparently he didn’t or couldn’t follow.
Researchers at The Citizen Lab, a digital rights group based at the University of Toronto, said they found evidence that a Russian government investigative unit used a Cellebrite phone hacking tool to hack into the iPhone of local human rights dissident and opposition politician Andrey Pivovarov in June 2021.
Three months before this hack, Cellebrite had was announced that it would “immediately” stop selling its technology to Russian government customers. On its official website, Cellebrite claims that starting in March 2021, when it cut ties with Putin’s government, the company “may stop operating the device or receiving software updates.”
It’s unclear why that wasn’t the case in this case, and the episode reveals an unpleasant truth about surveillance technology, which is that once powerful hacking and surveillance technologies reach the wrong customer, it’s not so easy to get them back. Tools proliferate, are abused, and may continue to be abused, often long after the company that made them has washed its hands of the customer.
“No wonder, and [it] it’s the result of Cellebrite’s policies,” said Eitay Mack, an Israeli human rights lawyer who has long campaigned against surveillance technology makers like Cellebrite and spyware maker NSO Group.
Contact us
Do you have more information about Cellebrite? Or about how Cellebrite’s customers abuse its technology? We would love to hear from you. From a broken device and network, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Mack argued that ceasing sales, even revoking a software license, doesn’t stop a former Cellebrite customer from abusing the company’s technology, as this case shows. Mack also pointed out that Cellebrite refuses to say whether it asks customers to dismantle the hacking tools it sold them, a critical loophole that its own cutback announcements do not address.
That case, Mack added, suggests that former customers can still abuse Cellebrite’s phone unlocking tool, called UFED, even after the company stops supporting the customer and possibly revokes the software license. In theory, this should make the company’s devices less useful.
John Scott-Railton, senior researcher at The Citizen Lab, told TechCrunch that Cellebrite “should also remotely disable deployments after credible reports of abuse and end the era of reasonable denial by applying cryptographically signed watermarks to all imaged devices.” Simply put, Cellebrite should be able to remotely embed its own tools when they’re accidentally used, and should incorporate a kind of digital fingerprint so that data extracted with its technology can be traced back to which specific device it was used on.
Cellebrite sells hardware devices designed to unlock and jailbreak cellphones that are attached to them. Over the years, researchers have documented cases where the company’s customers used its technology against dissidents, human rights activists and journalists in Hong Kong, Kenya and Jordan. In response to some of these findings, Cellebrite severed its ties Bangladesh, China and Hong Kong, Myanmarand Serbia.
In an email to The Citizen Lab, shared with TechCrunch, Cellebrite’s chief marketing officer, David Gee, said the company “ceased all sales and services in the Russian Federation in March 2021, terminating existing licenses and immediately began unwinding all legal contracts. Any use of legacy Cellebrite material is entirely within Russia.
Gee, as well as Cellebrite spokesman Victor Cooper, did not respond to a series of specific questions sent by TechCrunch.
In Pivovarov’s case, The Citizen Lab researchers said they were able to find forensic evidence on his phone that he had been hacked with Cellebrite UFED after Russian authorities arrested him and seized his iPhone 12 and MacBook in May 2021.
Pivovarov also shared with investigators a court document obtained as part of his prosecution. In it, the Russian government’s Criminalist Expert Center detailed Cellebrite’s use of UFED to hack into his phone, stating that authorities used UFED to extract data, including WhatsApp and Telegram messages. They also searched the phone for political terms, as well as names of opposition figures, including targets of what investigators described as alleged Russian government hacking campaigns.
Pivovarov was the director of the opposition group Open Russia. He he was later convicted to four years in prison, before it was done released in August 2024 as part of it prisoner exchange between Russia and the Western countries that also freed Wall Street Journal reporter Evan Gershkowitz.
The Russian Embassy in Washington, DC did not respond to a request for comment.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
