It is inevitable in today’s world that law enforcement sometimes be faced with mobile devices that suspects locked prior to their seizure by authorities. Locking your devices is good common sense security, which goes for you and I and, yes, for criminals. As a result, the police will sometimes need to break encryption on such mobile devices, in order to get to the data within, either for investigative or evidentiary purposes. That’s when tools such as Cellebrite UFED come into play. By using UFED, law enforcement can break into otherwise secure devices, such as iPhone smartphones, and get to the data within.
Unfortunately for the prosecution side, someone recently obtained access to UFED and analyzed its security features which were found to be, shall we say, lacking. Indeed, according to Moxie Marlinspike (creator of the Signal app), ironically, cybersecurity isn’t exactly UFED’s strong suit. In fact, according to his report, after looking at the product, he believe this tool’s security is so weak that even scanning a boobytrapped device may result in alteration of the data that was or is later exacted using UFED.
In short, in their efforts to secure some evidence, it seems some police forces are using a tool the reliability of which may be called into question. Indeed, if the tool at issue cannot be counted on to provide data that is a reliable record of what really was found in a particular device, should such evidence not be thrown out?
Legally, the fact that a tool used to extract information is prone to tampering may not bode well for convictions obtained on the basis of the resulting evidence at issue, at least if the vulnerabilities reported by Moxie Marlinspike can be substantiated. Some American defense attorneys intend to argue against convictions that were secured by the authorities based on evidence extracted from locked smartphones. This could, for example, require new trials in some cases, etc.
UFED is apparently used by many law enforcement agencies throughout the world. We don’t yet know how many convictions this inconvenient revelation may eventually allow defense attorneys to call into question.
This is yet another good example of the perpetually problematic relationship between cybersecurity and the law.