Serbian Authorities' Misuse of Cellebrite Tools in 2024: A Wake-Up Call for Digital Privacy
Executive Summary
In December 2024, Amnesty International reported that Serbian police and intelligence agencies misused Cellebrite's digital forensic tools to unlawfully extract data from mobile devices belonging to journalists and activists. The authorities employed these tools to unlock devices without consent, facilitating the installation of spyware like NoviSpy during detentions and interrogations. This surveillance campaign targeted individuals critical of government policies, leading to significant privacy violations and suppression of civil society. (amnesty.org)
The incident underscores the potential for abuse of digital forensic technologies when deployed without stringent oversight. It highlights the urgent need for robust legal frameworks and ethical guidelines to prevent the misuse of such tools against civil society and to protect fundamental human rights.
Why This Matters Now
The misuse of digital forensic tools by authorities poses a significant threat to privacy and freedom of expression. As these technologies become more accessible, it's imperative to establish and enforce strict regulations to prevent their exploitation for unlawful surveillance and to safeguard human rights.
Attack Path Analysis
Kenyan authorities arrested activist Boniface Mwangi and seized his personal phone. Using Cellebrite's forensic tools, they bypassed the device's security measures to gain unauthorized access. This allowed them to extract sensitive personal data, including private communications and plans for his presidential campaign. The extracted information was likely used to monitor and potentially intimidate Mwangi, impacting his activism and personal security.
Kill Chain Progression
Initial Compromise
Description
Kenyan authorities arrested Boniface Mwangi and seized his personal phone, providing physical access to the device.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; full STIX/TAXII enrichment to follow.
Exploitation for Privilege Escalation
Input Capture
File and Directory Discovery
Ingress Tool Transfer
Indicator Removal on Host
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Digital forensics tool abuse by authorities threatens citizen privacy, constitutional rights, and government accountability through unauthorized device extraction and surveillance overreach.
Law Enforcement
Cellebrite technology misuse undermines public trust in law enforcement, creates legal liability, and demonstrates need for stronger oversight of digital forensics capabilities.
Political Organization
Presidential candidates and political activists face targeted surveillance threats through mobile device exploitation, compromising campaign strategies and democratic processes fundamentally.
Non-Profit/Volunteering
Human rights organizations and activists experience increased digital surveillance risks, requiring enhanced mobile security measures and encrypted communication protocols for protection.
Sources
- Citizen Lab links Cellebrite to the hacking of a Kenyan presidential candidate’s phonehttps://cyberscoop.com/citizen-lab-kenya-cellebrite-phone-cracking-boniface-mwangi-forensic-evidence/Verified
- Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activistshttps://www.amnesty.org/en/latest/news/2024/12/serbia-authorities-using-spyware-and-cellebrite-forensic-extraction-tools-to-hack-journalists-and-activists/Verified
- Jordan used Israeli firm’s phone-cracking tool to surveil pro-Gaza activists, report findshttps://www.theguardian.com/world/2026/jan/22/jordan-israeli-spyware-gaza-activistsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained unauthorized data extraction by enforcing strict segmentation and identity-aware access controls, thereby reducing the attacker's ability to access and exfiltrate sensitive information.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While physical device access is beyond CNSF's scope, its implementation could have limited unauthorized access to cloud-based resources linked to the device.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have limited the attacker's ability to access sensitive cloud resources by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have constrained unauthorized movement between cloud workloads, limiting the attacker's ability to access multiple data repositories.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have detected and alerted on unauthorized data transfers to external systems.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have restricted unauthorized data exfiltration from cloud services.
By limiting unauthorized access and data exfiltration, CNSF could have reduced the scope of compromised information, thereby mitigating potential threats to Mwangi's personal security and activism.
Impact at a Glance
Affected Business Functions
- Human Rights Advocacy
- Political Campaigning
- Personal Communications
Estimated downtime: N/A
Estimated loss: N/A
Personal photos, private conversations, and sensitive political plans of the activist.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust device encryption and ensure all devices are protected with strong, unique passwords to prevent unauthorized access.
- • Regularly update device firmware and security patches to mitigate vulnerabilities that could be exploited by forensic tools.
- • Educate activists and individuals at risk about the importance of physical device security and the potential threats posed by forensic extraction tools.
- • Advocate for legal reforms and oversight to prevent the misuse of forensic technologies by authorities, ensuring they are used in compliance with human rights standards.
- • Support the development and deployment of technologies that can detect and alert users to unauthorized access or tampering with their devices.
