Uganda admits buying Israeli phone-hacking software

Uganda admits buying Israeli phone-hacking software

Kampala, Uganda | URN | Human rights activists have asked the Israeli Defence ministry to stop permitting its company from selling phone hacking software to Ugandan authorities, claiming it is being used for human rights abuses.

The company, Cellebrite, which specializes in developing tools for digital forensic investigations, is reported to have sold its phone-hacking software known as Universal Forensic Extraction Device (UFED), to Uganda police and other security services. The software enables enforcement authorities to hack into password-protected cell phones and retrieve all the information they contain.

Uganda Police reportedly uses the same technology, the UFED cloud analyzer to extract data from online storage services like Dropbox, Google Drive, OneDrive and Apple’s iCloud. Although Cellebrite publications explain that remote access is only possible if the account holder provides the password, an IT specialist who preferred anonymity said that the user of the system is actually able to extract data from the cloud services installed on the hacked phone.

Israeli human rights lawyer Eitay Mack is leading a campaign demanding the withdrawal of UFED from Uganda Police. Mack, one of Israelis’ leading voices against arms sales to human rights violators is leading several human rights organizations which signed a letter to the Defense Ministry stating that Uganda is using the phone hacking software to oppress critics. The Defense ministry’s Defense Export Control Agency monitors and approves sales of security technologies abroad.

The letter, which is also copied to Cellebrite, detailed murders, kidnappings, and torture of human rights activists, dissidents, and members of the opposition. They also made reference to a 2021 Country Reports on Human Rights Practices, published by the US Department of State which highlighted a series of state-instigated violations against Ugandans.

The report faulted the government and its security forces for participating in arbitrary killings, forced disappearances, cruel, inhuman, or degrading treatment of suspects and torture. The same report also points to restrictions on free expression including violence and unjustified arrests or prosecution of journalists, and overly restrictive laws on the funding or operation of nongovernmental organizations and civil society organizations.

But Cellebrite said its products were sold to Uganda’s police and security services to fight serious crime and terror, according to a report by The Times of Israeli and haartez.com. The two publications quote Cellebrite saying that it always ensures that its tools are only used for legal and ethical purposes.

The same report quotes the company, saying that it is committed to its mission of creating a safer world through providing solutions to law enforcement organizations while ensuring legal and ethical use of its products.

“We have developed strict means of oversight that will ensure proper use of our technology in the context of investigations carried out under the law.”

The company has also insisted that it requires potential clients to demonstrate they have the authority to access an iPhone or Android devices before making their product available. It has also been saying the technology’s dependence on physically interfacing with the phones means it is unlikely to be misused. But critics have noted that Cellebrite has had difficulty ensuring kits it has sent to clients remain with the clients.

In February 2019, Cellebrite phone hacking kits were found on sale on eBay, while some clients have not returned the kits to Cellebrite after use, as the company requests. There are also fears a Cellebrite kit could be reverse-engineered to uncover vulnerabilities that the company continues to keep hidden from the cellphone makers.

Cellebrite has sold the same software to Belarus, China, Hong Kong, Venezuela, Indonesia, Russia, the Philippines, and Bangladesh.

The Israeli Defense ministry claims that there is tight and effective oversight of Israeli cyber products sold abroad and that it puts human rights at the forefront when permitting the sale of cyber tools. Yusuf Sewanyana, the director of the Police’s ICT Directorate told this publication that although the technology was procured, it is not in use at the moment.

Read Also: To catch a (software) pirate 

Last year, an advanced spyware Pegasus, created by another Israeli firm, NSO Group was reportedly detected on at least 11 iPhones used by US officials in Uganda, as well as locals working for the embassy. According to a report which was published by the Washington Post, the targeted individuals were notified by Apple that their devices had been hacked.

While NSO has previously said Pegasus can’t be used against US-based devices, Americans working overseas can and often do acquire local phone numbers, which may be vulnerable to Pegasus attacks. A report by the New York Times indicated that the targets were easily identifiable as state department employees because they had used their professional email addresses to create Apple IDs.

NSO Group maintains that governments that purchase Pegasus are carefully vetted and are not to use the product except for specific purposes; however, the company has repeatedly sold Pegasus to countries known to use surveillance technology to track dissidents, lawyers, journalists, and other members of civil society.