Amnesty International Exposes Cellebrite Exploitation in Serbia
On Friday, Amnesty International revealed that a zero-day exploit sold by the controversial vendor Cellebrite was used to compromise the phone of a Serbian student, a move criticized by the country’s government. This revelation follows a December report by the Human Rights Organization, which accused Serbian officials of widespread and routine use of spyware as part of a campaign of state control and repression against civil society.
December Report Findings
In December, Amnesty International called out Serbian officials for their alleged use of spyware in a campaign of widespread state control and repression against civil society. The report highlighted that authorities were deploying tools sold by Cellebrite and NSO Group, another exploitation vendor whose methods have faced strong criticism over the past decade. In response to the December report, Cellebrite announced that it had suspended sales to “relevant consumers” in Serbia.
New Incident Uncovered
On Friday, Amnesty International exposed evidence of a new incident involving the sale of Cellebrite’s tools, which can bypass the lock screen of complex Android devices. These tools were used against a Serbian student who had been critical of Serbian officials. The exploit targeted vulnerabilities in device drivers that use the Linux kernel to support USB hardware.
“This new case provides further evidence that authorities in Serbia have continued their civil society monitoring campaign, despite our report and widespread calls for reforms from both inside and outside Serbia,” Amnesty International stated.
Technical Details of the Exploit
Amnesty International first discovered evidence of Cellebrite’s exploit last year while investigating a separate incident related to the same Android lock screen bypass outside Serbia. The exploit chain targeted core Linux USB drivers, a class of vulnerabilities that could affect over a billion Android devices. The vulnerabilities exploited included an out-of-bound write bug in the Linux USB Video Class (UVC) driver and two additional security defects.
The exploit allowed Cellebrite customers with physical access to a locked Android device to bypass the lock screen and gain privileged access. The impact of this exploit is not limited to a particular device or vendor and could affect a wide range of devices.
Amnesty International’s Response
Amnesty International emphasized the need for Android vendors to strengthen defensive security features to mitigate threats from untrusted USB connections to locked devices. The organization worked with Google’s threat analysis team to address the issue and stated that upstream patches for additional vulnerabilities in this chain would be made available by Android vendors over the coming months.
Cellebrite’s Response
Following Amnesty International’s December report, Cellebrite announced that it would stop the use of its digital forensic equipment for some customers in Serbia. The company stated that it took the allegations seriously and conducted a thorough investigation in accordance with its ethics and integrity policies. Cellebrite emphasized the importance of revamping its due diligence processes to ensure its products are not used to abuse human rights.
Conclusion
The revelations by Amnesty International highlight the ongoing challenges in addressing the misuse of surveillance technology and the need for stronger safeguards to protect civil society. The collaboration between Amnesty International, Google, and other stakeholders underscores the importance of a coordinated approach to addressing these issues and ensuring the protection of human rights.
For more details, you can read the full report on Amnesty International’s website.