Citizen Lab: Cellebrite UFED used by Russian authorities three months after the vendor's Russia pull-out
From CTI Daily Brief — 2026-06-27 · published 2026-06-27 · view item permalink →
Citizen Lab published a forensic investigation (2026-06-25) confirming that Russian authorities used Cellebrite UFED / UFED 4PC / UFED Physical Analyzer to extract data from the iPhone 12 of opposition activist Andrey Pivovarov on 17 June 2021 — three months after Cellebrite cancelled its Russian contracts in March 2021 (Citizen Lab, 2026-06-25). Two independent evidence streams corroborate: on-device MobileLockdown records show a USB connection to a Host ID previously attributed to Cellebrite hardware, and an official forensic report authored by the MVD (Interior Ministry) Forensic Expert Center — commissioned by the Investigative Committee — explicitly names the UFED tooling and lists extracted WhatsApp/Telegram/Viber data with keyword searches for opposition figures (The Record, 2026-06-25). The operational lessons are blunt: physical seizure plus closed forensic tooling bypasses device encryption and end-to-end-encrypted messaging entirely; vendor contract cancellations and export controls are not a reliable technical barrier to tool proliferation; and MobileLockdown USB-host records are forensically valuable for identifying which extraction device touched a phone.
Defender takeaway: For Swiss diplomatic, parliamentary and law-enforcement staff travelling to higher-risk jurisdictions, threat models must treat device seizure as an out-of-band bypass of all software-based controls — pairing this with today's § 1 Signal advisory, sensitive comms should assume both the device and its backups are reachable by a capable adversary.