Chinese Police Kept Buying Cellebrite Phone Crackers After Company Said It Ended Sales

The Israeli company purportedly left China last year. The subsequent sales of its products there could cloud its impending IPO.

A Cellebrite forensic device extracts data from a Samsung mobile phone during a demonstration at a training centre in Beijing, China June 19, 2018. Picture taken June 19, 2018. REUTERS/Cate Cadell - RC1C3A570C50
A Cellebrite forensic device extracts data from a cellphone during a demonstration in Beijing on June 19, 2018. Photo: Cate Cadell/Reuters

In its bid to go public next week, Israeli cellphone hacking company Cellebrite has tried to present itself as a defender of global human rights, highlighting its withdrawal from Bangladesh, Belarus, China, Hong Kong, Russia, and Venezuela. In a presentation to investors filed with the U.S. Securities and Exchange Commission earlier this month, the company claimed that its mission was to “protect and save lives, accelerate justice and preserve privacy in global communities.”

But even after Cellebrite said it withdrew from China and Hong Kong, an Intercept investigation has found, police on the mainland continued to buy the company’s Universal Forensic Extraction Device, or UFED, products, which allow officers to break into phones in their possession and siphon off data. While Cellebrite did deregister its Chinese subsidiary earlier this year, it appears to have done little about the brokers that peddle its hacking technology. Chinese government procurement award notices and posts on resellers’ websites show that police have continued to purchase powerful Cellebrite software, while resellers have continued to provide updates for the software. In one case, a reseller reported delivering the Israeli company’s software to border guards in Tibet and demonstrating how it could be used to search people’s WeChat accounts.

The findings follow reports of abuses involving Cellebrite technology elsewhere in the world — including in Bahrain, Botswana, Indonesia, India, and Saudi Arabia — that the company has not meaningfully addressed. “Cellebrite hasn’t demonstrated that they have made serious efforts to investigate the misuse of their technology,” said Natalia Krapiva, tech legal counsel for Access Now. “It seems it’s a part of their business model that they are just selling their technology to whoever will buy it, without any concern for what the consequences will be.”

Cellebrite aims to soon go public through a merger with a special purpose acquisition company, a blank-check firm formed for the sake of the IPO. Shareholders in that company, TWC Tech Holdings II Corp., will vote on the merger Friday. Cellebrite said in filings that it expects to go public shortly after the shareholder vote.

“They are just selling their technology to whoever will buy it, without any concern for what the consequences will be.”

In response to a detailed list of questions, a public relations firm hired by Cellebrite sent a statement. “Cellebrite has developed a strong compliance framework, and our sales decisions are guided by internal parameters, which consider a potential customer’s human rights record and anti-corruption policies,” the statement reads. “Cellebrite remains committed to safeguarding human rights and has developed strict controls ensuring that our technology is used appropriately in legally sanctioned investigations.”

The company did not respond to specific findings about the continued sale of its products in China.

The revelations raise questions about Cellebrite’s ability to tamp down human rights controversies going forward, a key issue for the company. Access Now has called on the Nasdaq stock exchange to decline to approve Cellebrite’s listing.

Another Israeli digital forensics company, NSO Group, has made headlines over the past few months after its Pegasus spyware was found on the phones of journalists, human rights activists, and other prominent figures, suggesting that they had been remotely hacked. Cellebrite’s sweet spot is different. It is best known for its UFED products, which require physical access to a target’s phone but are both easy to use and relatively inexpensive. Police in China seem to favor UFED 4PC, a program that allows them to break into phones when they are connected to an investigator’s desktop computer. Cellebrite also sells portable field hacking devices, the smallest of which is around the size of an iPad. The Israeli company, which is a subsidiary of the Japan-based Sun Corporation, claimed in a recent SEC filing that its products are used by the 20 largest police departments in the United States. In 2019, OneZero obtained a contract that revealed the use of Cellebrite technology by the Manhattan District Attorney’s Office.

Joshua Wong, secretary-general of the Demosisto political party, wears a protective face mask as he uses his smart phone during a news conference to announce his bid to enter into the unofficial pro-democratic camp primary election for the Legislative Council in Hong Kong, China, on Friday, June 19, 2020. To overcome fractures between the moderates and more radical localists, legal scholar Benny Tai is attempting to organize an unofficial primary on July 11 and July 12 to select favored candidates in each district. Photographer: Chan Long Hei/Bloomberg via Getty Images

Pro-democracy leader Joshua Wong said Hong Kong police used Cellebrite technology to hack his phone.

Photo: Chan Long Hei/Bloomberg via Getty Images

Human rights groups have repeatedly sounded the alarm about policing in China, where security officials have used predictive policing software, facial recognition, and internet snooping to surveil ethnic minorities and other targeted groups. Cellebrite’s UFEDs can give police access to years’ worth of data. “The use of hacking is both targeted on dissidents and activists throughout China, but also routine in a place like Xinjiang,” the region where Chinese authorities have severely repressed Muslim Uyghurs, said Maya Wang, senior China researcher at Human Rights Watch. “And in both cases it could lead to people being imprisoned arbitrarily, because there’s no rule of law in China in essence.” People in Xinjiang have reported being forced at police checkpoints to plug their phones into devices.

In October 2020, following an outcry over the use of its products to surveil Hong Kong protesters, Cellebrite announced that it would leave China and Hong Kong “effective immediately.”

For years before that, the company quietly built up a presence in the region. Cellebrite established a subsidiary in Beijing in September 2015, as the Chinese government was investing heavily in surveillance technology. According to LinkedIn, the company eventually hired a sales director for greater China. A source familiar with the telecommunications industry in China said that in addition to sales staff, Cellebrite also hired researchers in the country.

“It could lead to people being imprisoned arbitrarily.”

Many of the Cellebrite researchers who spend their days collecting vulnerabilities in different cellphone models are based at its campus in Petah Tikva, Israel, where they are recruited from other tech companies or from the Israeli military’s famed signals intelligence arm Unit 8200. But the company also had projects in the works at the time that would have benefited from a research presence in China. It boasts that its UFED CHINEX software add-on can help police extract data from certain Chinese-made phones, for example.

Cellebrite declined to comment on the size of its China operation or on whether it employed researchers there prior to its withdrawal from the market. As Cellebrite prepared to exit China, an Israeli lawyer in Shanghai was made the company’s chief representative there. When reached by phone, she hung up.

In 2016, when Apple refused to help the FBI gain access to the iPhone of the San Bernardino shooter, one of two assailants in a shooting that left more than a dozen people dead, it turned to an unnamed hacking firm for help. Speculation that the company was Cellebrite generated widespread press in China. The claim turned out to be false, but it was nonetheless a publicity coup for the Israeli company in China, where digital security researchers became fascinated by Cellebrite.

As the Chinese government has built up its surveillance infrastructure, homegrown Chinese technology companies have managed to replicate many types of sophisticated technology, but the UFED has remained elusive. Daniel Sprick, a legal scholar and expert on Chinese policing at the University of Cologne, said he repeatedly ran across discussion of Cellebrite while preparing a survey of policing technology in China. In Chinese academic writing on the topic, he said, “Cellebrite and its UFED system were always presented as the benchmark, which Chinese producers apparently were yet not able to come close to.” The Chinese company that has come closest is Meiya Pico, but even some of its forensic devices are made to work with Cellebrite’s software and file format.

Surveillance technology in China is typically bundled with other products and sold to government buyers by well-connected brokers, called systems integrators. As Cellebrite grew its business in Asia, a network of local resellers hawked its technology to Chinese police. Employees of the Israeli tech company based in Singapore, meanwhile, publicized trainings on Cellebrite’s website in the simplified characters used on the mainland. The trainings covered topics of interest to existing customers, including how to extract data from phones with Qualcomm chips and how to use Cellebrite’s UFED Ultimate software.

Cellebrite employees also networked with high-level security officials in China.

A Singapore-based Cellebrite employee gave a speech at a Beijing policing conference in 2019.

Screenshot: People’s Public Security University of China website

In 2019, Frederick Huang, Cellebrite’s technical support manager in Singapore, traveled to Beijing to speak at a conference hosted by the People’s Public Security University of China, according to the conference agenda and an account published on the conference website. The event was a veritable who’s-who in surveillance technology. Other speakers included Hong-Eng Koh, a Huawei executive who formerly marketed Oracle policing technology in China, and University College of London professor Tao Cheng, who received a controversial grant from a flagship Chinese predictive policing lab. Huang’s speech was titled “A New Technology That Enables Rapidly Changing Digital Environments.”

Cellebrite’s hustle in China paid off. Police academies in Hunan and Henan provinces bought the company’s technology, procurement documents show.

One key Cellebrite partner was Beijing Information Security Technology, a reseller that in 2019 posted a letter appearing to be from Cellebrite to its WeChat account. The document, which was printed on official letterhead and bore the signature of Arthur Veinstein, then Cellebrite’s managing director for Asia Pacific, said that the Beijing reseller was a Cellebrite “gold distributor” and that it was authorized to distribute the Israeli company’s products and trainings in China. Procurement award notices detailing deals with police in China back up Beijing Information Security Technology’s claim that it distributed Cellebrite products.

Cellebrite declined to comment on the authenticity of the letter or on whether the company was ever an authorized partner. Beijing Information Security Technology did not respond to a request for comment.

Then came a major public relations crisis. In December 2019, amid massive protests in Hong Kong over a proposed extradition bill, police there seized the phone of activist Joshua Wong. Although Wong refused to hand over the password, he said that police managed to access his WhatsApp conversations. Wong later said that police had used Cellebrite technology to access his phone. Concern spread that Wong was not alone. Over the course of the 2019 protests, police had taken thousands of phones from protesters.

“What you can do with the UFED is detain a protest leader, get all the information about them and their connections, and then very quickly cut the opposition,” said Eitay Mack, a human rights lawyer who has unsuccessfully petitioned Israeli regulatory bodies to change how Cellebrite’s technology is regulated.

A Beijing-based technology broker posted an authorization letter that it said was from Cellebrite to its WeChat account.

Image: WeChat

As activists campaigned for Cellebrite to pull out of Hong Kong, the newspaper Haaretz published a series of reports that put pressure on the company within Israel, detailing Cellebrite’s work in not just Hong Kong but also Belarus and Venezuela. On October 7, 2020, Cellebrite relented and announced that “effective immediately” it would stop selling products and services to China and Hong Kong. The company claimed that it had made the change to comply with new U.S. regulations.

“It was happy news when Cellebrite said we’re not going to do business with Hong Kong,” said Lokman Tsui, a fellow with the Citizen Lab at the University of Toronto who was based in Hong Kong at the time. The move meant that Cellebrite’s representatives could not be called to give testimony in court cases in the territory, he added.

But while Cellebrite did eventually deregister its Chinese subsidiary, resellers continued to hawk Cellebrite technology and services on both the mainland and in Hong Kong. Just one week after Cellebrite’s announcement, a government procurement award notice revealed that police in Guangxi province had purchased UFED 4PC.

In December 2020, the Shenzhen-based reseller Smile said it had provided Cellebrite software to border guards in Tibet. According to a post on the reseller’s website, an engineer delivered UFED 4PC to guards in November and demonstrated how to extract WeChat data from a mobile phone. Attendees watched as the engineer displayed someone’s chat records, photos, and videos on a screen, the post claimed.

Brokers in Hong Kong continued to offer Cellebrite technology as well. In February, the website Intelligence Online reported that two technology brokers operating out of Hong Kong still advertised the company’s products on their websites. One of them subsequently removed the reference to Cellebrite but did not alter any claims about its cellphone forensics capabilities. A third Hong Kong-based reseller still advertises a purported partnership with Cellebrite on its website.

Customers in countries where agreements have been terminated “no longer receive active product support or have their licenses renewed,” Cellebrite said in its statement. “All resellers Cellebrite works with are subject to the same restrictions.”

Do you have information about the use of Cellebrite products that you want to share? Contact reporter Mara Hvistendahl at marahv@protonmail.com or via Signal at +1-651-400-7987.

But Mack, the human rights lawyer, said that the findings from China fit with a pattern seen elsewhere in the world: When Cellebrite withdraws from a country under pressure from human rights activists and the press, it does not take sufficient steps to disable the equipment that is already in the region. In 2019, Cellebrite’s former broker in Myanmar told the Washington Post that police there still had access to UFEDs, even though the company said it had pulled out of the country months earlier. Before Cellebrite’s departure, authorities in Myanmar used Cellebrite technology to comb the cellphones of two Reuters journalists.

A sample Cellebrite contract posted on its website gives the company the right to insert code into its software that can remotely disable it if the software is misused. That suggests that in some situations it is  possible for the company to deactivate existing products. “They need to cut everything,” said Mack. “They shouldn’t be working there. They should immediately withdraw because from the beginning they shouldn’t work in China.”

Cellebrite devices are also freely available on eBay. (EBay founder Pierre Omidyar provided the funding to launch The Intercept and continues to back the publication.)

In a recent SEC filing, Cellebrite claimed that going forward it would “prioritize a human rights-based approach” and practice “strict adherence” to “all relevant Israeli, U.S., and EU regulations and controls.” But the documents submitted by the company ahead of its anticipated IPO also emphasize Cellebrite’s potential for growth, something that has so far proven incompatible with protecting human rights.

“They claim that they have an oversight system, that they only sell to legitimate clients, and that doesn’t seem to be the case.”

“It’s their responsibility at the end of the day,” said Krapiva of Access Now. “They claim that they have an oversight system, that they only sell to legitimate clients, and that doesn’t seem to be the case.”

Mack said Cellebrite’s sales in countries like China raise the question of why the U.S. government hasn’t put more pressure on Israel’s Ministry of Defense, which issues a license to Cellebrite. “I don’t understand how the U.S. and the EU governments are turning a blind eye to the businesses that the Israeli government is allowing,” he said. “This is a privilege that the Israeli government and Israeli companies have that other countries don’t have.”

For the moment, Cellebrite continues to list a technical support hotline in China on its website. The hotline informs callers that phone support for the region is closed but offers the option of submitting requests online or by email.

Whatever the status of ongoing official sales of Cellebrite products in China, the devices and software seem to remain in use. In April, a reseller secured the right to run maintenance, repairs, and software updates on a UFED Touch device owned by police in the city of Wenzhou, according to a government procurement document.

And in May, Beijing Information Security Technology noted on its website that to avoid Cellebrite devices becoming unusable, customers should keep them offline. The reseller assured customers that going forward, it would furnish the services needed to operate the devices and update the software offline. The post concluded: “Beijing Information Security Technology will also continue to provide the latest product-related instructions and technical services. Please feel free to follow us.”

Both Beijing Information Security Technology and Smile, the broker that brought Cellebrite technology to border guards in Tibet, continue to offer the Israeli company’s products for sale on their websites.

Join The Conversation