Advertisement
Advertisement
Hong Kong protests
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A former Hong Kong police detective says the force has used Cellebrite’s data-extraction technology for about seven years. Photo: SCMP Pictures

Hong Kong protests: did police use Israel’s Cellebrite hacking tech to crack protesters’ smartphones?

  • Former Hong Kong police detective says the force has used the company’s data-extraction technology for about seven years
  • Disclosure may explain how investigators got around smartphone security features to gather evidence against protesters
A former Hong Kong police detective and forensics expert says the city’s police have used controversial phone-cracking technology produced by an Israel-based forensics company, offering a likely explanation for how investigators got around common security features like passwords and fingerprint readers to get evidence against thousands of protesters during the ongoing anti-government unrest.

Frances Chu, who spent more than three decades in the force and is now a computer forensics consultant, said she believed the force had bought data-extraction devices from Cellebrite to unlock smartphones like those police seized from anti-government protesters.

Chu, who retired from the force in 2013, said Hong Kong police had been using Cellebrite technology for about seven years and that she knew of at least two sellers of its products in the city, including the Hong Kong cybersecurity company Binary Solutions, where she formerly worked as a consultant. Binary Solutions, which is based in Wan Chai, lists Hong Kong Police Force and Cellebrite among its clients and partners on its website.

‘Cyberattack from China’ hit messaging app used by Hong Kong protesters

“The Hong Kong police have used Cellebrite in their investigations for quite a long time,” said Chu, who runs CFA Consulting. “It’s not a new thing.”

Secretary for Security John Lee Ka-chiu this month told a meeting of the Legislative Council that police had seized 3,721 mobile phones from arrested protesters and suspects between June and November last year and broken into them to read their contents.

He said the devices were subjected to “digital forensic examination” after obtaining court warrants but did not respond to lawmakers’ questions on whether police had used spyware to hack the phones, insisting the “critical technologies” involved must remain secret.

Phone-cracking technology developed by the Israel firm Cellebrite. Photo: AFP

Hong Kong has been rocked by seven months of at times violent protests after attempts to introduce a bill – which has since been scrapped – allowing the extradition of criminal suspects to jurisdictions including mainland China. About 7,000 people have been arrested in connection with the protests since June, with more than 1,000 prosecuted for offences including unlawful assembly, rioting and possession of offensive weapons. Police have also carried out raids to disrupt alleged bomb plots, including an operation in July during which authorities made what they said was the biggest-ever seizure of explosive materials in Hong Kong.

Lee made his comments after activist Joshua Wong Chi-fung last month publicly questioned whether police had abused their authority by hacking his phone to obtain his instant messaging records.

Wong said he had not revealed the password on his phone to police, who later said the messages had been obtained under a search warrant issued by a magistrate.

Last week, a photographer who was arrested for unlawful assembly sought a judicial review to challenge the legality of two warrants that allowed officers to search his phone and other devices.

The applicant, Lee Wing-ho, argued the warrants were unlawful as they authorised police to search his devices “without any limitation or conditions” and applied to about 50 different devices stored on police premises.

Cellebrite came to international attention in 2016 when it was incorrectly speculated to be the third party that helped the FBI break into the iPhone of San Bernardino killer Syed Rizwan Farook after Apple refused to help unlock the device, citing civil liberties concerns.

In June, the firm, which is owned by Japan’s Sun Corporation, introduced the newest version of its Universal Forensic Extraction Device, touting it as “the only on-premise solution for law enforcement agencies to unlock and extract crucial mobile phone evidence from all iOS and high-end Android devices”.

Demonstrators shine lights from their smartphones during a protest at Urban Council Centenary Garden in the Tsim Sha Tsui. Photo: Bloomberg

Chu said it was her understanding that Cellebrite devices were capable of cracking “most” phones.

“It’s not magic, it can’t guarantee to crack any phone,” she said.

Chu said other Hong Kong agencies also used Cellebrite products, including the Independent Commission Against Corruption and the Customs and Excise Department.

Although it keeps its list of clients close to its chest, Cellebrite is known to sell its devices to numerous law enforcement and government agencies around the world, including in the United States, the United Kingdom and Australia.
The firm has, however, attracted controversy due to the use of its technology by authorities in countries such as Myanmar and Bahrain to justify the punishment of dissidents and journalists.

Adam Jaffe, vice-president of global communications at Cellebrite, said the company took any potential abuse of its products seriously.

“We require agencies and governments that use our technology uphold the standards of international human rights law,” Jaffe said. “In the extremely rare case when our technology is used in a manner that does not meet international law or does not comply with Cellebrite’s values, we take swift and appropriate action, including terminating agreements.”

A Hong Kong Police Force spokesperson said the force could not disclose information about the technology it used because it would reveal details of police operations, “allowing criminals to take advantage by undermining the police’s capabilities in combating serious crimes and maintaining public safety”.

An employee opens a drawer where phones are stored at the research lab of the Israel firm Cellebrite. Photo: AFP

The spokesman said police exercised their search and seize powers in accordance with relevant legislation and “generally” would only carry out a forensic examination of a phone after obtaining a court warrant, in line with a 2017 High Court ruling that a device can only be examined without a warrant in “exigent circumstances”.

Binary Solutions did not respond to a request for comment.

Lokman Tsui, an assistant professor at the School of Journalism and Communication of the Chinese University of Hong Kong, said it could be inferred that Hong Kong police used Cellebrite devices given the force’s access to messages Joshua Wong sent through apps such as WhatsApp, where the service provider can’t see or access what content has been sent or received.

What is Telegram and why is it so popular during the Hong Kong protests?

“WhatsApp is end-to-end encrypted, which means that the police cannot go to WhatsApp – or Facebook that owns WhatsApp – to get access to his conversations,” Tsui said.

Tsui echoed concerns of opposition lawmakers that such phone cracking software, which is proprietary and not open source, could be abused.

“There is no foolproof way to show that evidence was not planted on the phone,” he added.

Brian Jackson, an expert on the use of technology in criminal justice at the US-based Rand Corporation, said emerging law enforcement tools raised questions about the balance between privacy and public security that would become increasingly difficult to answer as people relied more on devices such as smartphones.

“Given how important mobile devices and technologies are in people’s lives today, they can contain a great deal of information that can be relevant to criminal investigations. But, for that reason, access to them can represent a very significant privacy invasion,” Jackson said.

“The more information that we entrust to these devices – and that the devices often collect without the user’s knowledge – potentially the more difficult this trade-off becomes, which means that even if we strike an acceptable balance today, we will have to revisit it in the future.”

This article appeared in the South China Morning Post print edition as: ‘Controversial tech helped police to crack phones’
Post