Tinder dates, coffee with friends, credit card details – what MUP software can reveal about you

For years, Serbia’s Ministry of the Interior has been acquiring equipment that uses hacking methods to extract data from mobile phones and computers to penetrate the deep secrets of device owners, making it one of the most intrusive and legally problematic technologies today.

Long-deleted Tinder, forgotten messages, booked hotels, purchased tickets, history of keyboard entries, locations, Wi-Fi networks used – all this can be found by the Serbian Interior Ministry if it gets into someone’s phone.

For years, the Ministry of the Interior has been purchasing highly intrusive digital phone forensics equipment, according to procurement data from the Serbian Ministry of the Interior. Today, the Ministry of Interior’s National Centre for Criminal Forensics has tools from Cellebrite of Israel, Oxygen of the UK, MSAB of Sweden, Magnet of Canada and, most recently, Elcomsoft of Russia.

“With these devices, the entire content of the mobile phone is one click away from the police. “Such a system should not be used because it always picks up more than the court order,” says Eitai Mak, an Israeli human rights lawyer.

BIRN’s research has shown that the equipment can extract all data from a mobile phone and then analyses it, including data from innocent people.

Telephone forensics requires a prior order from a court or prosecutor, but is often unnecessary and even more often overly broad, and the handling of the phone and the data on it during and after forensics is completely unregulated, experts say.

“When you have 2,000 cases where expert evidence is being unnecessarily conducted, it gets serious. “Judges and prosecutors automatically order phone forensics, and one of the consequences is an unnecessary invasion of privacy,” says lawyer Vladimir Marinkov.

For the lawyers BIRN spoke to, the problem is that these commercial digital forensic tools hide the way they break through the phone’s security mechanisms and extract data.

“No one really knows how these tools work, companies hide it. To be legally valid evidence, the police would have to show the technique and method used to obtain the data, not blindly trust a phantom,” says Milana Pisarić, a PhD in law specializing in cybercrime.

The MUP started buying this equipment in 2017, and the same tools are used by authoritarian regimes around the world to criminalize activists, journalists and political opponents.

For years, lawyer Eitai Mak and a number of digital human rights organizations have been calling attention to the Israeli company Cellebrite, which has sold this equipment without risk assessment to countries with low human rights records or to sanctioned countries, where it has been used to repress protests and democratic action.

Telephone screening equipment for the MUP is procured by a few long-standing partners and proven suppliers, who often appear as sole bidders in MUP tenders due to the lack of specialised companies. One of them is IN2 Informatički inžinjering, which procured forensic software with facial recognition capability for the Ministry of Interior, and IntellSec, which recently joined the tender. This company has purchased equipment for the surveillance center under the EPS, which BIRN has already written about.

Unlocking locked phones: what the Serbian Ministry of Interior’s phone hacking software can do

No one is obliged to disclose the phone code to the police, but the police can extract some data from the device without the code, and also unlock certain models of phones.

Elcomsoft states on its website that its tool can collect certain data from a device without unlocking the iPhone by bypassing Apple’s security mechanisms. Magnet Axiom states in its user manual that it can unlock certain Samsung, LG and Motorola phone models, while Oxygen Forensics boasts that it can crack the screen password on some Chinese phone models.

Some providers, such as Cellebrite and MSAB, offer “advanced” or “lab” phone unlocking services, which involve experts from the company’s headquarters remotely accessing an expert’s phone located on police premises and using methods known only to the company’s experts to try to unlock the phone. In this way, the company conceals its methodology and technology for breaking into the phone, and the police obtain the unlocked phone, which they can then use as an expert.

Doctor Milana Pisarić says police can “hack” phones if they have a court order to search them. However, this order should include a power of attorney that the phone can be accessed by a third party as an expert, i.e. an employee of the company that produces the forensic equipment. In practice, if the court does not issue an order, the police may allow a third party to access the phone even without the court’s decisive approval.

“It is unlikely that a domestic court would authorize a foreign company to provide this kind of professional assistance. If a private company, either from Serbia or abroad, accessed a mobile phone without the knowledge and consent of the owner, this would be a criminal offence, especially since there is no legal authorization for remote access to the phone,” Pisarić concludes.

Magic iPhone Jailbreak Case

MUP’s failed tender in 2021 for the purchase of a GrayKey “box” speaks in favor of the Serbian police’s aspirations to break into the latest iPhones. This equipment was not procured because there were no bids.

Malwarebytes cyber experts have previously warned about the intrusive nature of GrayShift’s tool, which completely hides its products and customer list and is supposed to deal exclusively with the FBI.

GrayShift and Apple are engaged in a constant and precarious game of cat and mouse – the former looking for holes in Apple’s phones, the latter patching them. Recently, GrayShift has turned to finding vulnerabilities in Android phones too.

Penetrating the deep secrets of the phone

With the equipment acquired since 2017, MUP can experiment on tens of thousands of different device models and almost all mobile phone models, provided they are previously unlocked. Both MSAB and Cellebrite claim on their websites that they have access to data from tens of thousands of devices of different profiles.

Retrieving data from a device is most commonly referred to as physical retrieval. With the tools it has, MUP is able to extract, among other things, SMS and MMS messages, calls, contacts, calendars, notes, photos, video and audio recordings, and data that is invisible to the average mobile phone user and is potentially the most private data.

The deepest level of data extraction goes into hidden and deleted data, which includes a list of Wi-Fi networks the user has connected to, GPS locations, internet search history, keyboard input history, email addresses, device notifications, and photo and video metadata. For some equipment manufacturers, it is sometimes possible to extract all this in less than five minutes.

With the deepest extraction come potential dangers, one of which is permanent software damage that could make the phone more vulnerable to future cyber threats.

“If the procedure is not carried out properly, it can damage the phone. It can leave the phone in a state where you can no longer turn it on, or you can be left with no data on your phone,” says Stevan Gostojić, professor of computer and information science at the Faculty of Technical Sciences in Novi Sad and a forensic IT expert.

Disobedience-breaking equipment

The New York Times and Israel’s Haaretz reported in 2021 that the Myanmar military used Cellebrite and MSAB tools during the coup that year, in which more than 800 rebels were killed and thousands harassed, injured or taken into captivity, where their phones were confiscated.

Haaretz and the US Intercept also report that Hong Kong police mass confiscated the phones of thousands of protesters during the 2019-2020 pro-democracy protests, and one of the protest leaders, Joshua Wong, had his iPhone confiscated by police and then had his data extracted using Cellebrite and MSAB tools, according to court documents posted by Wong on his Twitter account.

“In Vietnam, we proved that the police were buying Cellebrite and seizing phones from protesters during demonstrations. They demanded the phone code, and if anyone didn’t give it out, they took the phone to forensics, and then they continued to harass them for the information they found on the phone,” Eitai Mak, an Israeli human rights lawyer, told BIRN.

Haaretz also reported that in Russia, the Investigative Committee, an arm of Vladimir Putin, claims that Cellebrite technology has been used some 26,000 times. “Every region in Russia has Cellebrite tools for digital forensics,” Mak said.

In addition, the Israeli company is facing controversy for exporting equipment to police forces in authoritarian and dictatorial regimes around the world, including sales to Uganda, Indonesia, Belarus, Botswana, Venezuela and Bangladesh.

Among the 40 languages supported by Cellebrite software is Serbian. Stevan Gostojić believes that this may have something to do with the Israeli company’s close relationship with its Serbian customers, including the police.

Training police officers to work with digital forensics tools is an additional problem. Experts interviewed by BIRN say that while commercial tools are easy to use and can be used by any police officer, a deeper understanding of digital forensics is needed to work safely and reliably.

“Any police officer can use them, they are so easy to use, you can download everything from your phone in a few clicks. It’s not like Pegasus Spyware, for which you need a team of trained people. It’s OK for the police to remove the whole content, but they shouldn’t. You need special expertise, so some inspectors can use it, but not all,” says Itay Mack.

By searching the public procurement portal, BIRN journalists came across a 2021 contract for a course on working with digital forensics tools. The contract, which was awarded to the Croatian group IN2, IN2 Informatički Inženjering and Insig2, worth 8,000,000 dinars, is to train primary and mid-level police officers in the use of Cellebrite, XRY, Magnet Axiom, among other tools.

The primary level lasted three days and the intermediate level two days, with up to five participants per training level. Digital forensics expert Stevan Gostojić believes that five days is not enough time to master the forensic tools, but it is possible that the police officers being trained had prior knowledge.

Injunctions give police too much power

Gostojić says that at the forensic workstation, the contents of the entire phone or computer are always cloned, even though most of the time only certain parts of the device’s memory are cloned.

He adds that there are no regulations governing the handling of data after forensics. Gostojić also points out that what data the forensic analyst accessed during the forensic examination, or what he did with that data, is not subject to any control.

He says that a major problem for him is the excessive or, in extreme cases, illogically worded expert orders he receives from courts or prosecutors.

“This shows that not all lawyers have the IT knowledge to be able to draft a task,” Gostojić told BIRN.

Excessive court orders are not only a problem in Serbia. In many countries, legislation has not kept pace with technological progress.

Israeli lawyer Eitai Mak cites a case in which he defended an activist and, for the purposes of the hearing, asked the police for expert material from his client’s phone related to the incident in question.

“They said they couldn’t send it to me by email, but only to download the CD. Why? When I left, I found that the police had copied the contents of the entire phone, including information about other activists, human rights activists and my correspondence with my client, thus violating the confidentiality of lawyer-client communications,” Mak said.

Mak said that court orders for expert telephone conversations should be event-related, meaning that the police would only have access to the information specified in the order.

“With Cellebrite you extract all the data, which is against criminal law. The system generally does not allow you to select only certain data stores. For example, a search of a flat is always linked to a specific item. You can’t take everything; you are only looking for one thing.

“Like a cluster bomb and a regular bomb. A cluster bomb causes many explosions in one shot, so there are international conventions that restrict the use of cluster bombs. There should be such restrictions in technology as well. Ordinary people say that I am not interested in the rights of criminals, and then they see the police using the same technology to destroy democracy. “Technology is accelerating this process,” says Mak.

Computer forensics easier than mobile phones

In 2021 and 2022, the Ministry of Interior of Serbia procured tools for specialized digital computer forensics – Cellebrite 4PC and Elcomsoft desktop forensics suite. These tools make data from PCs of all operating systems available to the Serbian police.

Digital forensics expert and registered IT expert Stevan Gostojić believes that it is easier to extract data from a PC than from a phone, as there is no need to know the code, and the hard disk can be removed from the PC and independently executed.

Data in the cloud: Serbia’s Ministry of Interior has access to data stored abroad

More and more data is being stored in so-called clouds, and less and less on the devices themselves, according to a March 2023 analysis by Maximize, an international research and advisory firm.

Companies whose tools use MUP can also access data from the cloud, so the Serbian police have access to hundreds of cloud services, cloud accounts and data generated by different applications.

With cloud extraction, police can get data from iCloud and Google Cloud accounts, financial and shopping data, data from social networks and health, dating, travel and taxi apps, and see minute-by-minute search history and phone location. Data can also be retrieved from other smart devices, even some encrypted services.

Some of the most sensitive personal data, such as health, financial and sexual preference information, is stored in the cloud.

Recently, more and more providers are creating ways to extract data from health apps or smartwatches with sensors that measure health parameters. One of the most commonly used apps is Apple Health, which stores data on gait measurements, sexual and mental activity, diet, medication, symptoms or menstrual cycles.

“That’s why the phone is specific, someone’s whole life is there. It contains an indescribable quantity and quality of data that defines a person to a considerable extent, and therefore it enjoys special legal protection, so the contents of the phone can only be accessed if there is a court order for a search and only for the purposes of criminal proceedings,” says Pisarić.

To access cloud accounts, the police first find cloud login credentials on the device, or so-called tokens, which bypass two-factor authentication, a security mechanism against unauthorized access.

“Monitor online behavior, analyses posts, likes, events and links to better understand the interests, attitudes, opinions and daily activities of the suspect or victim,” reads the official website of the Israeli company Cellebrite.

Over the years, MUP has acquired a total of around 350 licenses for forensic tools. The largest percentage is taken up by Cellebrite equipment, so MSAB…

Dating apps are becoming an increasingly popular target for digital forensics – they can reveal an individual’s sexual, emotional, and partner preferences, their profiles, the messages they exchange with other users, and even the profiles of other users.

From financial data, forensic experts could obtain details of credit cards or crypto wallets. Encrypted and hidden services such as Signal correspondence, Telegram hidden correspondence, Protonmail, Silent Phone, Snapchat for My Eyes are not immune to forensic software.

In addition to the fact that the court issues expert evidence orders without clear restrictions on what data can be collected and analyzed, the way in which data is accessed in the cloud, bypassing the mechanism of international legal assistance in criminal cases, police cooperation and cloud service providers, is problematic for Milan Pisarić.

“If our police were to unilaterally and directly access data located in, for example, Colorado, this would be problematic. If the competent authorities did not obtain the data through official channels, but through such unilateral actions, the validity of the evidence in court would be questionable,” Pisarić believes.

With digital forensic tools, it is possible to constantly monitor the phone and plant evidence

Once law enforcement obtains cloud login credentials, this allows them to continue monitoring a user’s online activity even after the phone has been returned to its owner. This opens up a technical avenue for the police to potentially track the owner of the phone remotely without their knowledge.

“As long as I have the credentials or token, I can access the cloud. I could certainly monitor activity in the cloud until I log out of it. You would probably receive a notification that someone is accessing the cloud from a different address,” explains Stevan Gostojić, a digital forensics expert.

In addition to allowing the phone’s behavior, messages and location to be monitored at all times, valid login credentials can be used to impersonate the user, send messages and emails falsely representing the user, and even fabricate evidence by sending or downloading illegal material from cloud accounts belonging to the owner.

“It is possible to modify content with forensic devices, but it should not be done. I have had cases where the contents of a phone have been obviously altered, some results are impossible, files appear that should have been accessed long before they were created. I have had cases of communications being inserted and existing communications being deleted,” says lawyer Vladimir Marinkov.

Analytical modules, a new level of intrusion

The sheer volume of text, media and other content collected by digital forensics tools can make the search for potential evidence a time-consuming task.

For this reason, forensic software is often equipped with analytical software that allows the user to map, visualize and review the findings from forensics. The analytical software from Magnet, MSAB, Cellebrite, Oxygen, with the help of artificial intelligence elements, facilitates and speeds up the process of working, searching and processing data.

The Oxygen Forensic Detective analytical module enables categorization and recognition of human faces. Lee Reiber, Oxygen’s Chief Operating Officer, said that the tool can “search for a specific person in an evidence collection or combine images of the same person.”

Not only does Oxygen provide categorization and matching of faces in the extracted data, the system categorizes gender, age, race and recognizes emotions such as “joy” and “anger” on faces. Magnet goes one step further in categorizing people with the AI-based Magnet.ai option, which promotes the categorization of materials according to skin tone as a percentage.

Manufacturers’ analytics modules can often categorize sensitive content such as nudity, sexuality, tattoos, credit and ID cards or gambling.

The search filtering option, advertised by Cellebrite as “Search Their Searches” and by Oxygen as “Smart Filters”, allows the operator to filter and select finds by time, geolocation, source, keywords, telephone persons or key evidence. There is also the possibility to map the locations visited and to map the movement routes.

‘Links’ within Oxygen allow the software operator to search for all contacts and to identify the people with whom the phone user has the most frequent contact and the intermediaries between these contacts.

“Such analytical modules are not regulated by the Criminal Procedure Act. If they are used in a way they should not be, then that is a breach of privacy. The conclusions reached by an AI-based analytical system must be reviewed manually,” Marinkov says.

The Home Office can access data from friends and third parties

Digital phone forensics not only threatens the privacy of the phone owner, but also of any connected persons who appear in communication with the owner.

“There is much more personal data on a phone than in a tapped phone conversation,” says Gostojić.

At the start of the pandemic, Cellebrite and MSAB launched new products that can track the movement history of a phone owner and find all the people the owner has been in contact with, with the consent to hand over their phone to forensics.

However, lawyers told BIRN that such tools can also be used to compromise privacy.

“If you are establishing the identity of every person with whom a person has communicated in the search for incriminating evidence – you are crossing the line of what is permissible. If we enter into a deeper connection between two people, this is a serious threat to privacy. Where you moved, who you were with, the range of possibilities is enormous. If the identity of people who have no connection with the crime is mentioned in the expert evidence order, it is illegal access to information,” says lawyer Vladimir Marinkov.

Serbian President Aleksandar Vucic mentioned at the start of the pandemic that the country has a new way of tracking owners, even when users leave their phones at home.

From whom does the MUP obtain digital forensics tools?

A search of the public procurement portal led BIRN journalists to millions of dollars of forensic tools for the MUP. Since 2016, only three companies have emerged as winners of these tenders: MRG Import-Export, IN2 Informatički Inženjering and IntellSec. The first two companies were mostly the only bidders in the tenders due to the lack of specialized companies in this field in Serbia.

MRG acquired around 180 licenses for Cellebrite tools, analytics platforms and collaborative casework for MUP, its long-standing client and partner. MRG is also the sole supplier of Oxygen Detective forensic equipment to the Ministry of the Interior, with a total turnover of approximately €1,922,842, based on wins of tenders for the procurement of digital forensic equipment for phones and computers alone.

The second most successful company is IN2 Informatički Inženjering, a company within the Croatian IN2 group, which purchased mainly MSAB XRY and Magnet Axiom tools for the Serbian police, generating a turnover of around 249,795.43 euro.

The official Magnet reseller for the Western Balkans is the Croatian company Insig2, which has a Serbian subsidiary IN2 Informatički Inženjering. This company purchased Griffeye facial recognition software for the Serbian police, which BIRN has already reported on.

More recently, Milan Blagojević’s company IntellSec joined the tender race for forensic tools. His company had previously been involved in the procurement of encrypted telephones for the EPS, which BIRN has previously reported on. This company supplied MUP with two Russian tools from Elcomsoft for a total value of just over €9000. IntellSec also has a private practice providing digital forensics to legal entities.

Suspicious partnerships

Another level of the problem is the questionable partnerships of unknown nature that equipment manufacturers enter into with third parties such as data vendors. The Canadian company Magnet, whose forensic software was purchased by MUP, is a partner of the Israeli companies NICE and CobWebs. The former was linked to the spy service provider and now defunct Circles, while the latter was blacklisted by Meta (formerly Facebook) at the end of 2021 for creating fake profiles to defraud users and access confidential information.