Cellebrite's Universal Forensic Extraction Device (UFED) can bypass encryption and extract data from locked smartphones — text messages, photos, location history, deleted files. Founded in Israel in 1999, Cellebrite has sold its technology to law enforcement and intelligence agencies in more than 150 countries, generating over $300 million in annual revenue. While used for legitimate criminal investigations in democratic nations, the technology has also been deployed by authoritarian governments in Belarus, China, Russia, Turkey, and the United Arab Emirates to identify and arrest political dissidents, journalists, and human rights activists.
On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik killed 14 people and injured 22 others in a terrorist attack in San Bernardino, California. Both attackers were killed in a shootout with police. Left behind was Farook's iPhone 5C — a device that might contain evidence about the attack's planning, potential accomplices, or connections to terrorist organizations. The phone was locked with a four-digit passcode and protected by iOS encryption that would erase all data after ten incorrect attempts.
The Federal Bureau of Investigation sought a court order under the All Writs Act compelling Apple to create custom firmware that would disable the auto-erase feature and allow unlimited rapid passcode attempts. Apple refused. CEO Tim Cook published an open letter calling the demand "too dangerous to create," arguing that any backdoor could be exploited by criminals or hostile governments. The case became a defining moment in the encryption debate, crystallizing tensions between law enforcement investigative needs and technology companies' security architectures.
Then, abruptly, the FBI dropped the case. On March 28, 2016, the agency announced it had found "an alternative method" to access the device without Apple's assistance. While the FBI has never officially confirmed the vendor, multiple reports indicated the bureau paid a third-party service approximately $900,000 to unlock the phone. The most frequently cited candidates: Israeli digital forensics company Cellebrite or its Atlanta-based competitor Grayshift.
Cellebrite had been operating quietly for over a decade before the San Bernardino case thrust mobile forensics into public consciousness. Founded in 1999 in Petah Tikva, Israel, the company initially developed consumer software for transferring data between mobile phones. As smartphones proliferated and law enforcement increasingly encountered encrypted devices containing evidence, Cellebrite pivoted to forensic applications. Its Universal Forensic Extraction Device — UFED — became the industry standard tool for extracting data from locked phones.
The technology works through a combination of hardware exploits, operating system vulnerabilities, and proprietary techniques Cellebrite does not publicly disclose. UFED can perform "physical extractions" that bypass device encryption and passcode protection entirely, accessing data at the file system level including text messages, photos, videos, call logs, app data, location history, and deleted files. Cellebrite claims UFED can extract data from thousands of device models across iOS, Android, and legacy operating systems.
Cellebrite's transformation from consumer data transfer service to law enforcement contractor accelerated after its 2007 acquisition by Sun Corporation, a Japanese conglomerate primarily known for manufacturing pachinko machines. Sun purchased Cellebrite for approximately $20 million — an investment that would be valued at over $2 billion when Cellebrite went public 14 years later.
Under Sun's ownership, Cellebrite aggressively expanded into government and law enforcement markets. The company developed relationships with police agencies, intelligence services, and military organizations worldwide. By 2020, Cellebrite claimed customers in more than 150 countries, including law enforcement agencies in all 50 U.S. states. The FBI, Drug Enforcement Administration, Department of Homeland Security, Secret Service, and thousands of state and local police departments acquired UFED licenses.
Cellebrite's business model depends on continuous software updates. As Apple, Google, and other manufacturers patch security vulnerabilities, Cellebrite engineers discover new exploits to maintain access. This creates a technological arms race: manufacturers implement security features, forensic companies crack them, manufacturers respond with new protections, and the cycle repeats. Customers pay annual subscription fees — ranging from $9,000 to $30,000 per license depending on capabilities — ensuring access to the latest extraction techniques as they're developed.
In September 2021, Cellebrite went public through a merger with special purpose acquisition company TWC Tech Holdings II Corp. The SPAC deal valued the company at $2.4 billion and provided approximately $300 million in cash for expansion. For fiscal year 2023, Cellebrite reported $305 million in revenue, with 71% derived from software licenses and subscriptions rather than hardware sales. The financial structure reveals that Cellebrite's core business is not selling devices but maintaining subscription access to continuously updated extraction capabilities.
While Cellebrite markets UFED as a tool for legitimate criminal investigation, the same technology that helps detectives solve murders or rescue trafficking victims can be repurposed for political surveillance. The company has sold to governments with documented records of using surveillance technology to identify and arrest dissidents, journalists, and human rights activists.
The most extensively documented case involves Belarus. Following disputed presidential elections in August 2020, mass protests erupted across the country. President Alexander Lukashenko's security forces arrested over 30,000 demonstrators between August 2020 and March 2021. Human Rights Watch conducted detailed investigations documenting that Belarusian authorities systematically extracted data from arrested protesters' smartphones using Cellebrite UFED devices.
"Police would take protesters' phones, connect them to Cellebrite devices, and extract all data — contacts, messages, social media, photos. They'd use that information to identify other protesters and organizers. Many people were arrested based solely on appearing in someone else's extracted contact list."
Human Rights Watch testimony from former Belarusian detainee — March 2021The extracted data was used to map protest networks, identify organizers, and conduct additional arrests. Former detainees reported that interrogators confronted them with messages, photos, and contact information extracted from their phones — information they had never voluntarily disclosed. In many cases, individuals were arrested solely because their names appeared in other protesters' contact lists or messaging apps, with no independent evidence of criminal activity.
In November 2021, the Dossier Center, an investigative journalism project, published leaked internal documents from Belarus's Ministry of Internal Affairs showing ongoing Cellebrite support contracts and training programs. The documents detailed how police units were equipped with UFED devices and instructed to extract data from all detained protesters regardless of whether specific evidence was sought.
Belarus is not an isolated case. Investigative journalists and human rights organizations have documented Cellebrite sales to China, Russia, Turkey, United Arab Emirates, Venezuela, and other countries where governments have used surveillance technology for political repression. Amnesty International's 2018 report documented Bangladeshi authorities using mobile forensic tools — including equipment from Cellebrite competitor MSAB — to extract data from journalists' phones during a crackdown on press freedom.
U.S. and European export control regulations theoretically restrict sales of surveillance technology to human rights abusers. The Wassenaar Arrangement, a multilateral export control regime, includes "intrusion software" on its controlled items list. The European Union's dual-use regulation prohibits exports of certain surveillance technologies to countries where they might be used for internal repression.
In practice, enforcement is inconsistent and easily circumvented. Cellebrite's Israeli headquarters places it outside EU jurisdiction for most exports. The company maintains it conducts human rights reviews of potential customers and has declined sales where abuse risks are high. Critics note, however, that Cellebrite continues operating in countries with documented patterns of using surveillance technology for political persecution.
The challenge of controlling forensic tool exports is complicated by secondary markets. Equipment purchased by one government can be resold to others. Private security firms and investigation companies can acquire licenses and provide extraction services to governments unable to purchase directly. The technology itself, once sold, operates independently without ongoing oversight of how it's deployed.
Wenzel Michalski of Human Rights Watch argued that Cellebrite "cannot credibly claim to be surprised" when its technology is used to violate rights: "When you sell phone-cracking tools to authoritarian governments, you know exactly what they'll be used for. These aren't edge cases — this is the predictable result of selling surveillance technology to repressive regimes."
In April 2021, the encrypted messaging service Signal published a blog post that sent shockwaves through the mobile forensics industry. Signal's founder, cryptographer Moxie Marlinspike, revealed that the organization had "recently been in possession of" Cellebrite UFED extraction equipment — the post did not explain how — and had conducted a security analysis.
The results were damning. Signal's researchers discovered multiple critical vulnerabilities in Cellebrite's software. Most significantly, they demonstrated that specially crafted files placed on a target phone could execute arbitrary code on the UFED device itself when extraction was attempted. A malicious video file, for instance, could compromise the Cellebrite device, potentially altering extraction reports or accessing other data stored on the forensic workstation.
Signal's analysis also revealed that Cellebrite's software contained outdated libraries and dependencies with known security flaws, including some dating back years. The disclosure suggested that Cellebrite's quality control and security practices did not match the critical evidentiary role its products played in criminal investigations. If extraction reports could be altered without detection, the legal implications were profound — every case relying on Cellebrite evidence could potentially be challenged.
The blog post was written in Signal's characteristically pointed style: "In completely unrelated news, upcoming versions of Signal will be regularly enhanced with the addition of files that are never used for anything inside Signal and never interact with Signal software or data, but do look nice, and aesthetically match Signal's design language." The implication was clear: future Signal updates might include files specifically designed to compromise forensic extraction tools.
Cellebrite never publicly responded to Signal's specific technical claims. The company continued releasing software updates, presumably addressing the disclosed vulnerabilities, but did not acknowledge whether the issues existed or had been patched. The silence was notable given the severity of the security flaws and their potential impact on evidence integrity in criminal cases.
Apple has treated companies like Cellebrite and Grayshift as adversaries, implementing security features specifically designed to frustrate forensic extraction. Each iOS update often includes protections targeting known forensic techniques, temporarily neutralizing extraction capabilities until new exploits are discovered.
In iOS 11.4.1, released in July 2018, Apple introduced USB Restricted Mode. After one hour without unlocking, the iPhone disables the Lightning port's data connection, allowing only charging. This measure specifically targeted hardware-based extraction devices that connect to the port. Cellebrite and Grayshift devices could no longer be used on phones that had been locked for more than an hour unless the passcode was entered first.
Subsequent iOS versions implemented additional hardening: enhanced Secure Enclave protections, stronger encryption for data-at-rest, hardware-level security improvements, and tighter restrictions on what data remains accessible when a device is locked. Apple's security team actively monitors the forensic tools market, purchasing devices to understand their techniques and developing specific countermeasures.
This dynamic creates an escalating technological arms race. Apple implements new security features; forensic companies discover new exploits; Apple patches those vulnerabilities; forensic companies find different attack vectors. The cycle benefits neither side completely: Apple must continuously invest in security engineering, while forensic companies face ongoing R&D costs to maintain access to the latest devices.
For law enforcement, the result is uncertainty. A Cellebrite license that can crack the current iPhone model may be ineffective after the next iOS update. Agencies face a choice: delay investigations while waiting for forensic companies to develop new techniques, or send devices to specialized laboratories with access to more advanced (and expensive) capabilities. In some cases, critical evidence may be temporarily or permanently inaccessible depending on the specific device, operating system version, and available forensic tools at the time of investigation.
While international human rights concerns focus on authoritarian governments, civil liberties organizations in democracies have raised questions about how mobile forensic tools are deployed domestically. In 2020, the advocacy organization Upturn published "Mass Extraction," a comprehensive investigation based on public records requests to law enforcement agencies across the United States.
The findings challenged the narrative that tools like UFED are reserved for serious criminal investigations. Upturn documented that at least 2,000 agencies in all 50 states had acquired mobile forensic technology, predominantly from Cellebrite and Swedish competitor MSAB. Public records revealed that police were extracting data from phones during routine arrests, traffic stops, and minor offenses — not just in terrorism or murder investigations.
"We found police extracting entire phone contents — every text message, photo, email, browser history — during arrests for shoplifting, drug possession, even traffic violations. Most agencies had no written policies limiting when extraction was permissible."
Upturn — Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones, 2020The report documented cases where officers extracted complete phone data without warrants, relying on consent from arrestees who may not have understood the scope of what they were authorizing. In some jurisdictions, police maintained searchable databases of extracted information, creating repositories of personal communications, photos, and location histories that had no direct connection to criminal investigations.
Constitutional protections in the United States theoretically require warrants for phone searches, based on the Supreme Court's 2014 decision in Riley v. California. The Court held unanimously that police generally need a warrant to search an arrested person's phone. However, Upturn found widespread circumvention through consent requests, exigent circumstance claims, or plain extraction before seeking judicial authorization.
The legal framework struggles to keep pace with technical capabilities. Riley was decided in 2014, when phone forensics was less advanced and encrypted devices were less common. The decision did not anticipate devices that could extract complete data from locked, encrypted phones without user cooperation. Lower courts have issued contradictory rulings about whether compelling suspects to provide passcodes violates Fifth Amendment protections against self-incrimination, creating legal uncertainty about when extraction without consent is permissible.
Cellebrite no longer operates alone in the mobile forensics market. Multiple competitors offer similar capabilities, creating a commercial ecosystem around phone-cracking technology. Grayshift, founded in 2016 by former Apple security engineer Braden Thomas, emerged as Cellebrite's primary rival, particularly for iOS devices. The company's GrayKey device reportedly costs between $15,000 and $30,000 depending on configuration, sold exclusively to law enforcement agencies.
In 2021, Canadian digital forensics company Magnet Forensics acquired Grayshift for approximately $100 million, creating a consolidated competitor with complementary product lines. Swedish company MSAB continues competing with its XRY product line, claiming customers in over 100 countries. Israeli firm Paragon Solutions, Chinese company Meiya Pico, and others serve regional markets.
The commercial structure creates problematic incentives. Forensic companies profit from discovering and exploiting security vulnerabilities in mobile operating systems. Responsible security practice typically involves discovering vulnerabilities and disclosing them to manufacturers so they can be patched, protecting all users. But for forensic companies, patched vulnerabilities eliminate product capabilities and reduce commercial value. The business model depends on stockpiling exploits and keeping them secret from manufacturers.
This mirrors the zero-day exploit market, where government intelligence agencies and private contractors buy and sell undisclosed software vulnerabilities for offensive cyber operations. The difference is that mobile forensic companies openly advertise their capabilities to law enforcement customers, creating a quasi-legitimate market for tools that depend on security flaws.
Defense attorneys have increasingly challenged evidence obtained through mobile forensic extraction. The technical complexity of tools like UFED creates opportunities for both legitimate questions about evidence integrity and procedural challenges about warrant requirements.
Cellebrite's devices generate detailed extraction reports that appear authoritative — formatted documents with technical specifications, hash values to verify data integrity, and official-looking timestamps. But Signal's 2021 disclosure demonstrated that these reports could potentially be compromised. If malicious files on a target phone could alter the extraction device's operation, could they also subtly modify evidence without detection?
Defense attorneys have sought access to Cellebrite's source code to verify that extracted evidence accurately represents what was on defendants' phones. Prosecutors and forensic companies typically resist, claiming proprietary trade secrets. Courts have issued contradictory rulings about whether defense access to forensic tool source code is required to challenge evidence validity. Some jurisdictions allow sealed review by defense experts; others accept prosecution assertions that the technology is reliable without independent verification.
The Fourth Amendment questions are equally complex. Does extracting data from an encrypted phone without a suspect's passcode constitute a search requiring a warrant? Most courts say yes. But what about circumstances where police claim exigent circumstances — an immediate threat or risk of evidence destruction? What level of suspicion justifies seeking a warrant for complete phone extraction versus targeted searches for specific evidence? These questions lack uniform legal answers.
The existence of commercial forensic tools like Cellebrite's UFED complicates policy debates about encryption. Law enforcement agencies argue that strong encryption creates "warrant-proof" spaces where evidence is technically inaccessible even with legal authorization. They advocate for government-mandated backdoors or key escrow systems that would allow lawful access to encrypted communications.
Security researchers and civil liberties advocates respond that any backdoor, regardless of how carefully designed, creates vulnerabilities that can be exploited by criminals, foreign intelligence services, or malicious actors. They argue that encryption protects critical infrastructure, financial systems, personal privacy, and national security — that weakening it to enable law enforcement access would cause far more harm than benefit.
But forensic tools demonstrate that the "going dark" narrative — the claim that encryption makes evidence permanently inaccessible — is more nuanced than sometimes presented. Cellebrite, Grayshift, and competitors can often access encrypted devices through exploiting implementation flaws rather than breaking encryption itself. These capabilities are temporary, dependent on discovering new vulnerabilities as old ones are patched, but they suggest that the binary framing of "unbreakable encryption" versus "lawful access" oversimplifies technical reality.
The Electronic Frontier Foundation has argued that commercial forensic tools represent "the worst of both worlds": they weaken security by incentivizing vulnerability stockpiling while being available to authoritarian governments that use them for repression. EFF senior staff attorney Andrew Crocker testified before Congress: "The existence of companies like Cellebrite proves that law enforcement can often access encrypted devices without backdoors. But these capabilities are indiscriminate — the same tools that help solve crimes also enable surveillance states to crush dissent."
Cellebrite's technology is neither simply a law enforcement investigative tool nor purely an instrument of surveillance state oppression. It is both, simultaneously, depending on who deploys it and under what legal constraints. This duality defines the challenge of governing dual-use technology in democratic societies that value both security and civil liberties.
Mobile forensic extraction serves legitimate purposes. Detectives investigating murders, child exploitation, terrorism, or trafficking need tools to access evidence on encrypted devices. Courts can authorize searches. Legal frameworks exist to balance investigative needs with privacy protections. In jurisdictions with functioning rule of law, judicial oversight, and constitutional constraints, tools like UFED operate within legal boundaries — when those boundaries are enforced.
But the same technology, exported without meaningful restrictions and deployed without oversight, becomes an instrument of political surveillance. When Belarus extracts protest organizers' contact lists, when China uses forensic tools in Xinjiang, when authoritarian governments identify dissidents through their phones, Cellebrite's technology enables repression. The company's position that it conducts human rights reviews rings hollow when sales continue to governments with documented patterns of abuse.
The technical architecture creates structural problems that corporate ethics policies cannot solve. Once sold, forensic devices operate independently. Cellebrite cannot remotely disable UFED units being misused by authoritarian customers. Software updates that provide new capabilities are delivered to all license holders, regardless of how previous tools were deployed. The subscription model means ongoing support for agencies using the technology for political surveillance, not just criminal investigation.
Export control regimes designed for military weapons struggle to govern software and technical knowledge. A Cellebrite device is a laptop running specialized software. The underlying techniques — exploiting operating system vulnerabilities, bypassing security implementations, extracting data from memory — represent knowledge that cannot be bottled once discovered. Even if Cellebrite stopped operating tomorrow, the forensic techniques would persist, implemented by competitors or developed independently.
The arms race between security and forensics continues without resolution. Apple and Google will keep hardening their operating systems. Cellebrite and competitors will keep discovering new exploits. Law enforcement will keep demanding access to encrypted evidence. Privacy advocates will keep arguing that any backdoor creates catastrophic risks. Meanwhile, in Belarus, Russia, China, and dozens of other countries, protesters' phones will be connected to extraction devices, their contact lists used to identify the next round of arrests.
Cellebrite reported $305 million in revenue for 2023. Approximately 5,000 agencies in more than 150 countries maintain active licenses. The market for phone-cracking technology is growing, not shrinking. Every smartphone contains a complete digital life: communications, photos, locations, financial records, relationships, beliefs. The technology to extract that data exists, operates profitably, and serves both criminal investigation and political surveillance depending solely on who wields it.
The question is not whether these capabilities exist — they do. The question is whether meaningful governance structures can distinguish between legitimate uses and repressive applications. Current evidence suggests they cannot. Export controls are circumvented. Corporate ethics policies are insufficient. International human rights law lacks enforcement mechanisms. And the financial incentives favor proliferation: there is too much money in cracking phones for the market to self-regulate.
Cellebrite is a symptom, not the disease. The disease is the combination of universal digital dependency, imperfect encryption implementations, commercial markets for security vulnerabilities, and inadequate legal frameworks to govern dual-use technology. Until those structural conditions change, tools for accessing encrypted phones will proliferate, serving police detectives solving murders and secret police identifying dissidents with equal technical proficiency.