The Israeli company Cellebrite, known for building hardware and software to extract data from most cell phones, was itself hacked.
Earlier this week a hacker gave Motherboard 900 gigabytes of data from Cellebrite. We do not know if this is all they have or merely the beginning of a long trickle.
Motherboard says that there was a lot of technical data, customer information, customer trouble tickets, device images.
At this point, it is not clear what the hacker plans to do with the data.
The trouble tickets give some indications of countries that they sell to such as Turkey, United Arab Emirates and Russia.
While Cellebrite says that they only sell to governments (police and military), some of those governments have a questionable civil rights record.
Cellebrite, in defending themselves, said the hack was illegal. Some people say that while the software that they make and sell may be technically legal (they say they are not responsible for how their software is used), it is used in ways that may not be morally supportable. Of course, that is a very subjective conversation.
Besides saying that the hack was illegal, they said that the data was from an old, web facing customer portal.
What we do not know is how much other data was taken and whether there will be “interesting” information in the device images that were stolen.
Certainly Cellebrite is not unique in selling hacking software to questionable countries, nor are they the first – or last – “hackers” to be hacked themselves.
If, in fact, the data taken was from an old server used by customers who had not moved to a new server, it points out that those migrations should be managed so that old servers don’t stick around any longer than needed. Servers that are not powered on are hard to hack.
Information for this post came from Ars Technica.