How the Military Exposed the Tools That Let Authorities Break Into Phones
The Marine Corps is trying to close a no-bid contract with Cellebrite, a company that helps police get into locked phones. The specs weren’t supposed to be public.
Immigration and Customs Enforcement (ICE) really doesn't want the public to know what it's doing with Cellebrite devices, a company that helps law enforcement break into a locked phone. When it announced an $11 million contract with Cellebrite last month, ICE completely redacted the justification for the purchase.
The U.S. Marine Corps has now done the opposite. It published a justification to a public contracting platform, apparently by mistake, for a no-bid contract to continue putting Cellebrite's UFED/InsEYEts system in the hands of military police. The document is marked "controlled unclassified information" with clear instructions not to distribute it publicly. UFED/InsEYEts "includes capabilities exclusive to Cellebrite and not available from any other company or vendor," the document claims, before going on to list specific capabilities for breaking into specific devices.
Reason is posting the document below, with phone numbers redacted.
These capabilities have not been publicly listed in full. "As part of our business practice, we refrain from divulging or publicizing the specific capabilities of our technology at any given time. This approach is rooted in our commitment to security; by not disclosing detailed information, we avoid providing potential criminals or malicious actors with any advantage," Cellebrite spokesman Victor Cooper told Reason via email.
The Marine Corps declined to comment, citing the government shutdown.
The document seems to corroborate common advice from tech experts: Keeping devices updated and turning them off are both important protections against law enforcement snooping.
According to the document, Cellebrite is already used by the U.S. Marine Corps Criminal Investigation Division at several Marine bases as well as the Naval Criminal Investigative Service, and is part of the standard curriculum at the U.S. Army Military Police School. The system is used for breaking into phones already in police custody, rather than hacking into them remotely.
Although the Marine document is dated August 2025 on the signature line, the phrase "V1.6 (20 December 2023)" is printed on the footer of each page, suggesting that the list of capabilities is copied from an earlier document. Indeed, Cellebrite customer support materials leaked to 404 Media in 2024 show several capabilities that the Marine contracting documents do not.
Its age actually makes the Marine leak useful in understanding the government's phone-hacking capabilities, according to William Budington, a senior staff technologist at the Electronic Frontier Foundation, a digital civil libertarian nonprofit. Comparing the Marine documents to the 404 Media leak shows just how fast the cat-and-mouse game between police and tech companies moves.
"This isn't what they're capable of now. It's just a snapshot," Budington says. "The window of opportunity for them to extract closes if you have a phone that's been updated in the relatively recent past," he adds.
For example, the Marine document advertises "full file system capability" for certain iPhones running iOS version 15.7.1. That put Cellebrite a least a year behind, since iOS version 15.7.2 had come out in December 2022. The 404 Media documents, dated April 2024, show that Cellebrite had closed the gap significantly by then; it was able to break into certain locked iPhones running iOS 17.3.1, released in February 2024.
Meanwhile, "the variety and type of Android exploits shows that really, it's a bit of a Wild West out there for people who are trying to keep their Android devices secure," says Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, a nonprofit focused on civil liberties and privacy in New York.
Although the Marine document lists a variety of vulnerable lower-end Android devices, it does not list Google's flagship phone, the Pixel. The 404 Media documents show that Cellebrite can break into Pixels, but cannot decrypt the data on newer Pixels that are turned off.
Interestingly, the Marine document mentions that Cellebrite data has been challenged in court for "authenticity" by defense lawyers. "Cellebrite UFED/InsEYEts has been proven countless times to stand the legal review and thus allow for the physical extractions and evidence to be admitted into the court systems," the document states.
The Marine document also advertises Cellebrite's ability to extract a user token that allows police to log into a phone owner's accounts on Facebook, WhatsApp, Google Drive, iCloud, and other apps. Cellebrite itself has mentioned this capability in some public-facing customer support materials.
Another prominent Cellebrite customer, U.S. Customs and Border Protection (CBP), claims that it only searches devices that are disconnected from the internet. But Cellebrite's ability to extract tokens means that even an internet-disconnected device could provide CBP with the ability to log into a traveler's cloud storage later on. CBP updated its Cellebrite contract around the same time as ICE and the Marines.
The agency did not respond to a request for comment.
"Law enforcement should apply for and get an authorized search warrant to get into these devices, which isn't often the case," says Maria Villegas Bravo, a lawyer at the Electronic Privacy Information Center, another digital civil libertarian nonprofit. "Usually, the way they get into it is with consent from the device owner, although a lot of the time the device owner isn't given full understanding of what they're giving law enforcement access to. They're just like, 'here is my phone.'"
