Key Takeaways
- Russian authorities allegedly used Cellebrite tools to access activist Andrey Pivovarov's iPhone 12 in June 2021, three months after Cellebrite cut ties with Russia
- Citizen Lab found forensic evidence of Cellebrite's UFED toolkit usage, corroborated by official Russian court documents
- Cellebrite claims any post-March 2021 use was 'entirely unauthorized' and that legacy hardware is incompatible with modern devices
Russian authorities used Cellebrite's digital forensics platform to extract data from the phone of imprisoned activist Andrey Pivovarov in June 2021, three months after the Israeli company terminated its Russian contracts. The finding, published by the University of Toronto's Citizen Lab, raises sharp questions about how sanctions and export controls on surveillance technology actually work in practice.
Pivovarov, the former director of pro-democracy nonprofit Open Russia, had his iPhone 12 and MacBook seized when he was arrested in May 2021. The devices remained in government hands until 2023. When he finally got them back and contacted Citizen Lab, researchers found clear traces of Cellebrite's forensic extraction tools on the iPhone.
What did Russian investigators access?
According to Citizen Lab's analysis, Russian authorities used Cellebrite's UFED Physical Analyzer and UFED 4PC toolkit on or around June 17, 2021. These tools extract data from locked mobile devices and parse it for investigators. The researchers say they identified the forensic signatures with "high confidence."
The technical findings align with official Russian documentation. A translated court report titled "Forensic Expert Report No. 1269-17" explicitly names Cellebrite's UFED tools. Investigators searched Pivovarov's WhatsApp, Telegram, and Viber messages for terms like "Open Russia Civic Movement" and the names of opposition figures including Mikhail Khodorkovsky, the organization's founder.
Pivovarov said he never provided passwords for either device. The MacBook, which was encrypted, proved harder to crack. Citizen Lab found evidence of repeated failed login attempts on the laptop the same day investigators successfully accessed the iPhone.
Cellebrite's defense: unauthorized use of old hardware
Cellebrite terminated its contract with Russia's Investigative Committee in March 2021, following reports that its tools were being used against political opponents. The company says Russian agencies stopped receiving software updates immediately.
In an email shared with Forbes, Cellebrite's chief marketing officer David Gee called any post-March 2021 use "entirely unauthorized." He argued that hardware sold before the cutoff "would now be incompatible with modern devices and would operate without our technical support, our consent or any legal sanction from Cellebrite."
That claim has a problem. The iPhone 12 that investigators accessed was not a "modern device" by Cellebrite's own framing. It launched in October 2020, and Pivovarov's unit was seized in May 2021. Hardware and software purchased before sanctions took effect would have been fully capable of extracting data from a six-month-old phone.
The enforcement gap in surveillance exports
Citizen Lab's report accuses Cellebrite of "failing to meet its corporate responsibility to respect human rights." The researchers note the company has "a well-documented history of selling to governments with track records of persecuting activists, journalists and dissidents." Cellebrite markets to over 60,000 agencies across 150 countries.
The Pivovarov case illustrates a structural weakness in how the surveillance technology industry handles ethics and compliance. Companies can terminate contracts and halt support, but hardware already deployed remains functional. Software licenses can be enforced, but only if the vendor has technical kill switches or requires ongoing authentication. Neither appears to have stopped Russian investigators here.
Cellebrite is not the only forensics vendor facing these questions. Competitors like Grayshift (maker of GrayKey), MSAB, and Oxygen Forensics sell similar extraction tools to governments worldwide. The market for mobile device forensics has grown rapidly alongside smartphone adoption, and the same capabilities that help police investigate crimes can just as easily be turned against dissidents.
What happened to Pivovarov?
Pivovarov received a four-year prison sentence in July 2022 on charges of participating in an "undesirable organization." Open Russia had dissolved itself months earlier to protect members from prosecution under Russia's increasingly repressive laws. He was released and eventually had his devices returned, allowing Citizen Lab to conduct its forensic examination.
His case fits a broader pattern. Russian authorities have used digital evidence, often extracted from phones and laptops, to build prosecutions against opposition figures, independent journalists, and human rights defenders. The provenance and legality of that evidence rarely faces scrutiny in Russian courts.
Logicity's Take
For organizations operating in sensitive environments, this case is a reminder that device security depends on more than strong encryption. Pivovarov's MacBook resisted extraction because it was encrypted. His iPhone did not. If your threat model includes state-level adversaries with physical access to hardware, full-disk encryption with strong passphrases is baseline, not optional. Enterprises evaluating mobile device management should also consider forensic resistance as a criterion. Tools like Cellebrite, Grayshift's GrayKey (typically $15,000-30,000 per unit for law enforcement), and MSAB's XRY are designed to defeat standard protections. Apple's Lockdown Mode, introduced in 2022, addresses some extraction vectors but did not exist when Pivovarov's device was seized.
Frequently Asked Questions
How does Cellebrite access locked phones?
Cellebrite's UFED tools exploit vulnerabilities in mobile operating systems to bypass lock screens and encryption. The company continuously updates its software to work against new device models and OS versions, which is why cutting off updates theoretically limits effectiveness against newer hardware.
Did Cellebrite violate sanctions by allowing Russia to use its tools?
Cellebrite argues it did not, since the hardware was sold before March 2021 and any subsequent use was unauthorized. However, critics contend the company should have implemented technical measures to disable deployed systems, not just stopped selling new licenses.
Can individuals protect their devices from forensic extraction?
Strong encryption with long, unique passphrases provides the most effective protection. Apple's Lockdown Mode and similar hardening features reduce attack surface. However, no consumer device is fully resistant to state-level forensic tools with physical access.
Who is Citizen Lab and why are they credible?
Citizen Lab is a research group at the University of Toronto's Munk School that specializes in investigating digital surveillance and human rights. They have published major investigations into NSO Group's Pegasus spyware and other surveillance technologies, with findings corroborated by independent security researchers and journalists.
Another case examining the security and accountability gaps that enable data breaches
Need Help Implementing This?
If your organization needs to assess mobile device security posture or implement forensic-resistant configurations for sensitive personnel, contact Logicity's advisory network for vendor-neutral guidance on enterprise MDM, encryption, and threat modeling.
Source: Engadget
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
