Police Scotland confirm secret data was not revealed in global leak
Firm behind Scotland’s ‘cyber kiosks’ fell victim to hackers as huge amounts of confidential server files exposed
THE Israeli company behind Police Scotland’s controversial cyber kiosk technology has been left reeling after top-secret data was leaked to Japanese authorities.
Interpol, the FBI and the National Crime Agency are among the agencies which have had sensitive and confidential information exposed, according to court documents uncovered the Haaretz newspaper.
The data – taken from 2015/17 – includes almost half a million emails belonging to senior officials and directors at Cellebrite, its internal communications and exchanges with clients, invoices, and even contracts.
Police Scotland told The Herald they had spoken to the firm and were satisfied that their systems had not been “compromised or affected adversely”.
The force first worked with Cellebrite in 2016 when it trialled a Universal Forensics Extraction Device (UFED) in 2016 in Edinburgh and Stirling.
The UFEDs – known as cyber kiosks – allow law-enforcement agencies to unlock both iPhones and ndroid smartphones, and extract most of the data on them. The devices work even if the phones are locked and even if the data is encrypted. This allows police access to stored passwords and tokens, chats, location data, email attachments, as well as deleted content.
However, it is understood that the device is less effective on newer phone models, without access to the passcode.
Soon after the trial, in April 2018, Police Scotland spent more than £444,000 on 41 cyber kiosk units from the company.
The aim was to deploy them across the country within six months. However, that was paused after concerns were raised by MSPs and lawyers.
‘Legal basis’
IT was only in 2020 that the Crown Office and independent senior counsel were confident that there was a legal basis for use of the technology. According to Haaretz, information was transferred from Cellebrite to its main shareholder, Japanese Sun Corporation.
This was handed over to Japanese officials investigating alleged financial misconduct. Neither Cellebrite’s management nor its clients knew of the sharing of data. A legal opinion commissioned by the firm warned the leak could damage its reputation.
It wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”
“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure.”
That opinion was published last week following a court battle with Haaretz which saw a swathe of court documents relating to a financial dispute lawsuit made public.
After reviewing the full extent of the leak to the Japanese authorities, the company’s lawyer said it contained “confidential information relating to Cellebrite itself [and] confidential information relating to Cellebrite’s clients, including but not limited to agreements entered into with the clients as well as the products used by the clients”.
High-profile clients
THE court papers revealed that the FBI and Interpol, the Russian Embassy in Japan, and the Tokyo Metropolitan Police Department were all clients at the time of the leak.
So, too, were the US Department of Homeland Security, the US Marshals Service, and US Immigration and Customs Enforcement.
These, as well as the Royal Canadian Mounted Police, were specifically noted as clients who would be concerned by the disclosure.
The leak also contained communications between Cellebrite and the National Crime Agency, the Ministry of Defence, and the American
Following communication with Cellebrite and partners, we are satisfied that Police Scotland systems have not been compromised or affected adversely
military regarding “data extraction as part of classified investigations”.
Details of how Cellebrite had aided Nasa and Russian police forces were also contained. It is understood that Police Scotland is not mentioned specifically in the papers released by the court.
A spokesperson for Police Scotland said: “Police Scotland has been liaising with Cellebrite and other partners to fully understand any implications for the service.
“Following this communication, we are satisfied that Police Scotland systems have not been compromised or affected adversely.”
The papers obtained by the Israeli newspaper were attached to a lawsuit filed last month as part of a dispute between Cellebrite and a strategic consultant called David Spector.
Mr Spector was briefly hired by the firm and claims that he is still owed funds.
‘Embarrass’ firm
HOWEVER, Cellebrite claims he only included the now-revealed documents in his suit to attract media attention to his case and to try to embarrass the company. In response to Haaretz’s report, Cellebrite said “the two legal documents appended to the lawsuit provide an inaccurate and partial portrayal of the events in question and their potential ramifications”.
The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest”.
Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities”.
Last week, it was revealed that Cellebrite had sold phone-hacking tools to the dictatorship in Uganda.
It previously cut ties with China after the technology was reportedly used against pro-democracy protesters in Hong Kong.