Campaign of Surveillance
Amnesty International Uncovers New Evidence of Cellebrite’s Exploits Used in Serbia
Amnesty International on Friday said it determined that a zero-day exploit sold by controversial exploit vendor Cellebrite was used to compromise the phone of a Serbian student who had been critical of that country’s government.
Zero-Day Exploit Used to Compromise Student’s Phone
The human rights organization first called out Serbian authorities in December for what it said was its “pervasive and routine use of spyware” as part of a campaign of “wider state control and repression directed against civil society.” That report said the authorities were deploying exploits sold by Cellebrite and NSO, a separate exploit seller whose practices have also been sharply criticized over the past decade. In response to the December report, Cellebrite said it had suspended sales to “relevant customers” in Serbia.
The Attack Chain
On Friday, Amnesty International said that it uncovered evidence of a new incident. It involves the sale by Cellebrite of an attack chain that could defeat the lock screen of fully patched Android devices. The exploits were used against a Serbian student who had been critical of Serbian officials. The chain exploited a series of vulnerabilities in device drivers the Linux kernel uses to support USB hardware.
Widespread Surveillance
"This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite," authors of the report wrote.
Amnesty International’s Investigation
Amnesty International first discovered evidence of the attack chain last year while investigating a separate incident outside of Serbia involving the same Android lockscreen bypass. Authors of Friday’s report wrote:
Conclusion
This latest revelation highlights the need for greater accountability and transparency from exploit vendors like Cellebrite. The use of zero-day exploits to compromise the privacy of individuals, particularly those who are critical of the government, is a serious violation of human rights.
Frequently Asked Questions
Q: What is Cellebrite?
A: Cellebrite is a controversial exploit vendor that sells zero-day exploits to governments and law enforcement agencies.
Q: What is Amnesty International’s concern about Cellebrite’s activities?
A: Amnesty International is concerned that Cellebrite’s exploits are being used to compromise the privacy of individuals and violate their human rights.
Q: What is the purpose of the attack chain?
A: The attack chain was used to compromise the phone of a Serbian student who had been critical of Serbian officials, allowing the authorities to monitor their communications and activities.
Q: What does Cellebrite say about the sale of these exploits?
A: Cellebrite has suspended sales to "relevant customers" in Serbia following Amnesty International’s report in December.
