Cellebrite

Overview

Cellebrite DI Ltd. is an Israeli digital forensics and intelligence company founded in 1999 in Petah Tikva, Israel. Originally established as a mobile phone data transfer company helping customers move contacts between devices, Cellebrite pivoted in the mid-2000s to become the world's dominant provider of mobile device forensics and extraction technology used by law enforcement and intelligence agencies worldwide. The company went public on NASDAQ in August 2021 through a SPAC merger with TWC Tech Holdings II Corp., valuing the company at approximately $2.4 billion. Under CEO Yossi Carmil, Cellebrite generated approximately $300 million in annual revenue as of 2023.

Cellebrite's flagship product, the Universal Forensic Extraction Device (UFED), can extract data from virtually any mobile phone, including locked devices, bypassing encryption and security measures that manufacturers implement to protect user privacy. The company also offers Cellebrite Premium, its most advanced and expensive tool, capable of unlocking the latest iPhone and Android devices using proprietary exploitation techniques.

The broader software suite includes:

• Cellebrite Physical Analyzer, data analysis and visualization of extracted device contents
• Cellebrite UFED Cloud Analyzer, extraction of data from cloud services linked to target devices
• Cellebrite Pathfinder, digital intelligence analysis and network mapping across cases
• Cellebrite Analytics (formerly Reader), cross-case correlation linking evidence across multiple investigations and devices

Unlike NSO Group's Pegasus spyware, which enables remote zero-click exploitation, Cellebrite's tools require physical access to a target device. However, this distinction is less meaningful than it appears: in law enforcement contexts, devices are routinely seized during arrests, border crossings, traffic stops, and raids.

The company's technology has been sold to over 6,700 public safety agencies in more than 140 countries, making it the most widely deployed mobile forensics platform in the world, far more pervasive than offensive cyber tools like Pegasus, which are limited to a smaller set of wealthy government clients.

The breadth of Cellebrite's customer base, including agencies in countries with documented patterns of extrajudicial killing, political persecution, and suppression of press freedom, has drawn sustained criticism from Citizen Lab, Amnesty International, Privacy International, and the Electronic Frontier Foundation.

Data Collection Practices

Cellebrite's tools enable the comprehensive extraction and analysis of data from mobile devices, representing total digital compromise when physical access is available:

Full device extraction through UFED can recover all data stored on a mobile phone, including:

• Text messages (SMS/MMS) and messaging app conversations (WhatsApp, Signal, Telegram, iMessage, Facebook Messenger, WeChat)
• Call logs, voicemail, contacts, and address books
• Photos, videos, and audio recordings
• Web browsing history, bookmarks, and search queries
• Location data (GPS logs, Wi-Fi connection history, cell tower records)
• Application data from hundreds of apps
• Email accounts and contents
• Social media content and private messages
• Calendar entries, notes, and passwords stored in keychains
• Wi-Fi network history and Bluetooth pairing history
• Files from cloud storage apps

The extraction captures not just current data but the complete digital footprint of a person's mobile life.

Lock bypass capabilities allow Cellebrite tools to defeat device security that users rely on to protect their data. UFED can bypass PINs, passwords, pattern locks, and in some cases biometric authentication on a wide range of devices.

Cellebrite Premium, the company's highest-tier offering marketed exclusively to law enforcement, claims the ability to unlock "industry-leading devices" including recent iPhone models (exploiting bootrom and software vulnerabilities) and Samsung Galaxy devices.

These capabilities directly undermine the security measures that Apple, Google, and Samsung implement to protect user privacy, creating a persistent arms race between device manufacturers and forensic extraction vendors. Cellebrite maintains a vulnerability research team that identifies and stockpiles zero-day exploits in mobile operating systems rather than reporting them to manufacturers, a practice that leaves all users of affected devices at risk.

Cloud extraction through UFED Cloud Analyzer enables the extraction of data from cloud services associated with a device, including iCloud, Google accounts (Gmail, Google Drive, Google Photos, Google Maps timeline), social media platforms (Facebook, Instagram, Twitter/X), messaging services, and other cloud-based applications.

By leveraging authentication tokens and session cookies extracted from the physical device, Cellebrite can access cloud data that extends far beyond what is stored locally, effectively turning a phone seizure into access to the target's entire cloud-based digital life.

This means that even users who minimize data stored on their devices remain vulnerable through their cloud accounts.

Deleted data recovery through advanced forensic techniques allows recovery of messages, photos, videos, documents, and other data that users believed they had permanently deleted. Cellebrite's tools can recover data from:

• Unallocated disk space where deleted files have not been overwritten
• SQLite database journals and write-ahead logs
• Application caches and temporary storage
• System logs and diagnostic data

In some circumstances, this includes recovery of messages from encrypted messaging applications where local decryption keys or cached plaintext can be extracted.

The ability to recover "deleted" data is particularly consequential for journalists, activists, and dissidents who delete sensitive communications believing they are protecting their sources and contacts.

Analytics and cross-case correlation through Cellebrite Pathfinder and Analytics enables the cross-referencing of data extracted from multiple devices to map communication networks, identify associates, establish timelines, correlate locations, and build comprehensive profiles of investigation targets and their social circles.

Pathfinder's network visualization can process data from dozens of extracted devices to map entire organizational structures, showing who communicated with whom, when, where, and how frequently.

This capability transforms individual device extractions into comprehensive social network surveillance, enabling authorities to map protest movements, journalistic networks, or dissident organizations from a small number of seized devices.

Known Clients & Government Contracts

Cellebrite's customer base of 6,700+ agencies spans the globe, including both democratic governments with judicial oversight and authoritarian regimes with documented patterns of human rights abuse:

U.S. federal law enforcement represents Cellebrite's largest market. The FBI has contracts with Cellebrite exceeding $10 million, using UFED as standard equipment for digital forensics across all 56 field offices. The DEA, U.S. Marshals Service, Secret Service, Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), and Department of Homeland Security components including ICE and CBP all deploy Cellebrite tools.

ICE contracts with Cellebrite exceed $5 million and are used in immigration enforcement, including extraction of data from migrants' and asylum seekers' phones at the border. Customs and Border Protection uses Cellebrite at ports of entry, where Fourth Amendment protections are diminished and agents can search devices with lower legal standards than required domestically.

Thousands of state and local police departments across the United States use Cellebrite tools, making UFED the de facto standard for mobile forensics in American law enforcement. A 2020 Upturn report documented that police departments in all 50 states possess mobile device extraction tools, with Cellebrite being the most prevalent vendor.

UK Metropolitan Police and other UK forces use Cellebrite extensively for device extraction in criminal investigations. The widespread deployment across UK policing has raised concerns from privacy organizations about proportionality, the ease of performing a full phone extraction incentivizes fishing expeditions through suspects' entire digital lives rather than targeted searches for evidence relevant to specific offenses. UK courts have begun to grapple with the privacy implications of Cellebrite extractions, but the technology remains standard practice.

Hong Kong Police deployed Cellebrite tools during the 2019-2020 pro-democracy protests to extract data from detained protesters' phones, potentially exposing their networks, communications with organizers, fundraising activities, and connections to international supporters. The use of forensic extraction tools against political protesters, as opposed to criminal suspects, represents a fundamental misuse of technology sold for criminal investigation purposes. Reports indicate that data extracted from protesters' phones was used to identify and detain additional participants.

Chinese Public Security Bureau (Ministry of Public Security) purchased Cellebrite tools, documented through procurement records and investigative reporting. Given China's systematic persecution of Uyghur Muslims in Xinjiang, including mass detention of over one million people, comprehensive surveillance, and forced labor, the sale of advanced mobile forensic tools to Chinese security services raised alarms among human rights organizations. Cellebrite's technology could be used to extract data from Uyghurs' phones during the systematic checkpoints and arbitrary detentions documented by Human Rights Watch and Amnesty International.

Russian FSB (Federal Security Service) was documented as a Cellebrite customer through procurement records and investigative journalism. Cellebrite tools in Russian hands were potentially used against opposition activists, independent journalists, and civil society organizations operating in an increasingly repressive environment. Cellebrite announced restrictions on Russian sales only after the February 2022 invasion of Ukraine, not in response to years of documented political repression, assassinations of journalists, or poisoning of opposition figures.

Bangladesh Rapid Action Battalion (RAB), an elite military unit designated by the U.S. Treasury Department for sanctions in December 2021 for involvement in extrajudicial killings totaling over 600 deaths, was documented as a Cellebrite customer by Haaretz investigative reporting. The sale of forensic extraction tools to a unit known for death squad activity represents one of the most alarming documented instances of surveillance technology enabling human rights atrocities.

Myanmar military (Tatmadaw) reportedly deployed Cellebrite tools after the February 2021 coup to extract data from detained pro-democracy activists, journalists, and elected officials. In the context of a military junta that has killed over 4,000 civilians, detained tens of thousands of political prisoners, and conducted airstrikes against civilian targets, mobile forensic extraction becomes a tool of systematic political persecution.

Israeli Police use Cellebrite tools domestically, including documented use against Palestinian citizens of Israel and in the occupied territories. The proximity between Cellebrite and Israeli security services, given the company's headquarters in Israel and the revolving door between Israeli military intelligence and the surveillance technology industry, raises questions about the independence of the company's human rights due diligence.

Privacy Incidents & Litigation

Cellebrite's history reveals a pattern of enabling surveillance abuses, operating with minimal transparency, and implementing restrictions only after public exposure:

Signal Vulnerability Disclosure (2021): Moxie Marlinspike, Signal's creator and CEO, published a devastating analysis in April 2021 showing that Cellebrite's UFED software contained numerous vulnerabilities, including the ability to execute arbitrary code on Cellebrite devices simply by placing a specially crafted file on a target phone.

Marlinspike demonstrated that a file on a phone being analyzed by UFED could silently modify past, present, and future Cellebrite reports, inserting or removing data and undermining the forensic integrity of all evidence processed by that device.

The blog post revealed that Cellebrite's software included unsigned DLLs, used outdated FFmpeg libraries with known vulnerabilities, and incorporated Apple code without apparent licensing authority.

This disclosure was particularly significant because it undermined the evidentiary reliability of Cellebrite extractions used in criminal prosecutions worldwide, if reports can be silently tampered with, their value as forensic evidence is fundamentally compromised.

Authoritarian Regime Sales (ongoing): Investigative reporting by Haaretz, The Intercept, Citizen Lab, and other outlets has systematically documented Cellebrite sales to:

• Bangladesh's death squads (RAB)
• Chinese security forces targeting Uyghurs and other ethnic minorities
• Russia's FSB
• Myanmar's military junta
• Saudi Arabia (where Cellebrite tools were potentially available during the period of journalist Jamal Khashoggi's murder)
• Venezuela and other agencies with documented human rights abuses

The company has repeatedly been slow to restrict sales, implementing export controls only after public exposure and media pressure rather than proactive human rights assessment. The pattern suggests that commercial incentives consistently override human rights considerations in Cellebrite's sales decisions.

Protest Surveillance (2019-2021): Cellebrite tools were documented as being used against pro-democracy protesters in Hong Kong (2019-2020), Belarus (2020), and Myanmar (2021), enabling extraction of data that identified protest organizers, participants, donors, and supporters.

In each case, the extracted data was used by security forces engaged in violent suppression of legitimate political expression. The use of forensic extraction against protesters represents a systematic pattern of Cellebrite's technology being deployed for political repression rather than criminal investigation.

Data Breach (2017): In January 2017, approximately 900GB of data was stolen from Cellebrite servers and provided to the media outlet Motherboard/Vice. The stolen data included customer information, databases, and technical data about Cellebrite products.

The breach revealed details about Cellebrite's customer base and raised concerns about the security of sensitive law enforcement data processed through Cellebrite's systems. If forensic extraction data was compromised, it could expose the personal information of thousands of individuals whose devices had been analyzed.

Warrantless Use in U.S. (ongoing): Reports and court documents have revealed cases of U.S. law enforcement using Cellebrite tools without warrants, particularly at borders where the Fourth Amendment's protections are diminished, and in cases where police conduct device extractions incident to arrest before obtaining a warrant specific to the phone's contents. The 2014 Supreme Court ruling in Riley v. California held that police generally need a warrant to search a cell phone, but enforcement of this requirement is uneven, and Cellebrite's tools make warrantless extraction trivially easy for any officer with access to the device.

EFF/iFixit Hardware Analysis (2021): The Electronic Frontier Foundation and iFixit published a detailed teardown and analysis of Cellebrite's UFED hardware, revealing that the devices contained outdated software components with known vulnerabilities, used commodity hardware, and that the proprietary extraction process lacked the transparency and reproducibility required for reliable forensic evidence. The analysis raised fundamental questions about whether Cellebrite extractions meet the Daubert standard for scientific evidence admissibility in U.S. courts.

Defense Challenges in Criminal Cases (ongoing): Defense lawyers in criminal cases in the U.S., UK, and other countries have increasingly challenged the reliability and admissibility of Cellebrite extractions. Challenges focus on the proprietary "black box" nature of the extraction process, the inability to independently verify how data was extracted, whether the extraction process may have altered or contaminated evidence, and the vulnerabilities exposed by Signal's Moxie Marlinspike. Some defense experts have demonstrated that Cellebrite extractions can produce inconsistent results, with the same device yielding different data depending on the extraction method used.

Threat Score Analysis

Cellebrite receives a composite threat score of 80/100, reflecting its position as the most widely deployed mobile device forensics platform in the world and its documented role in enabling political persecution:

• Data Collection (90/100): UFED's ability to extract all data from virtually any mobile device, including deleted data, data from encrypted messaging applications, and cloud account contents, plus its capability to defeat lock screens and encryption on modern devices, represents total compromise of mobile privacy when physical access is available. The cloud extraction capability extends this to the target's entire online presence. Cellebrite's forensic tools provide a more complete picture of an individual's digital life than any other single surveillance technology.

• Third-Party Sharing (75/100): Cellebrite's sales to over 6,700 agencies in 140+ countries, including agencies in China, Russia, Bangladesh, Myanmar, Hong Kong, Saudi Arabia, and other countries with documented human rights abuses, effectively distributes advanced surveillance capabilities globally with minimal controls on end use. The company's due diligence on client usage has been repeatedly documented as inadequate, sales to sanctioned entities and death squads continued until exposed by journalists rather than caught by internal controls.

• Breach History (65/100): The 2017 data breach exposed 900GB of customer and technical data, demonstrating that Cellebrite's own security practices do not match the sensitivity of the data it processes. Signal's 2021 vulnerability disclosure revealed fundamental security flaws in UFED software that could allow evidence tampering, undermining the forensic integrity of all Cellebrite extractions. The combination of insecure infrastructure and vulnerable software raises systemic concerns about the reliability and security of Cellebrite's forensic evidence chain.

• Government Contracts (90/100): Cellebrite is deeply embedded in global law enforcement infrastructure, with tools deployed in over 140 countries. Its products are used in routine criminal investigations, counterterrorism, immigration enforcement, and, most concerning, political persecution of protesters, journalists, and dissidents. The company's revenue depends almost entirely on government contracts, creating structural incentives to prioritize sales over human rights. The minimal controls on how extracted data is used or retained by government clients compound the threat.

• Transparency (25/100): Cellebrite's software is proprietary and resistant to independent auditing, raising concerns about its reliability as forensic evidence, concerns validated by Signal's vulnerability disclosure and the EFF/iFixit analysis. The company has been slow to restrict sales to abusive regimes, implementing restrictions only after public exposure. Cellebrite's annual "Ethics and Integrity" report has been criticized by human rights organizations as lacking substance, failing to disclose its complete client list, refusing to acknowledge documented abuses, and relying on Israel's Defense Export Controls Agency (DECA) as a proxy for human rights due diligence despite DECA's documented failures to prevent sales to abusive governments.

Weighted calculation: (90 * 0.25) + (75 * 0.25) + (65 * 0.20) + (90 * 0.15) + (25 * 0.15) = 22.5 + 18.75 + 13 + 13.5 + 3.75 = 71.5, adjusted to 80 due to the scale of global deployment across 140+ countries and the systematic, documented use of Cellebrite tools against protesters, journalists, human rights defenders, and persecuted ethnic and religious minorities.

Transparency & Accountability

Cellebrite provides minimal meaningful transparency about its operations, client list, and the human rights impact of its technology, despite growing pressure from civil society organizations:

The company publishes an annual "Ethics and Integrity" report that has been criticized by Amnesty International, Privacy International, and the EFF as a public relations exercise rather than genuine accountability. The report does not disclose Cellebrite's complete client list, does not acknowledge documented instances of its technology being used for human rights abuses, and does not provide independent verification of the company's human rights due diligence processes.

Cellebrite's "Digital Intelligence" rebranding effort, framing surveillance tools as "intelligence" and "public safety" solutions, reflects a strategic communications approach designed to obscure the surveillance implications of its products.

Following public exposure of sales to authoritarian regimes, Cellebrite has announced various "ethics" initiatives and client restrictions, but these have consistently been reactive rather than proactive:

• Sales to China were restricted only after sustained media pressure and geopolitical shifts, not due to internal ethical review.
• Sales to Russia were halted only after the 2022 invasion of Ukraine, despite years of documented FSB repression.
• Bangladesh RAB sales were acknowledged only after Haaretz's investigative reporting.

This pattern demonstrates that Cellebrite's internal human rights processes are insufficient to prevent sales to the most egregious abusers, public exposure and journalistic investigation serve as the only effective check.

Cellebrite relies on Israel's Defense Export Controls Agency (DECA) for export licensing, effectively outsourcing its human rights due diligence to a government body that has its own geopolitical interests and has repeatedly approved exports of surveillance technology to authoritarian governments. The Israeli government's documented use of surveillance technology exports as a diplomatic tool, providing Pegasus and similar capabilities to governments in exchange for political support, creates structural conflicts that undermine the independence of export control decisions.

The proprietary nature of Cellebrite's technology raises fundamental questions about its use as forensic evidence in criminal proceedings worldwide. Defense lawyers cannot independently verify how data was extracted, whether the extraction process altered or contaminated evidence, or whether the tools accurately and completely represent device contents.

The vulnerabilities exposed by Signal's Moxie Marlinspike demonstrated that Cellebrite reports could potentially be tampered with silently, further undermining evidentiary reliability.

Courts in some jurisdictions have begun scrutinizing Cellebrite evidence more carefully, but the technology remains widely accepted with limited independent validation, a situation that serves Cellebrite's commercial interests but may compromise the integrity of criminal justice systems that rely on its tools.