Home/ Blog/ Security news/ Article
Blog · Security news

A seized iPhone gave up everything. The MacBook beside it gave up nothing.

Cellebrite's UFED tool fully read a locked iPhone in Russian custody but failed on the encrypted MacBook seized beside it. Encryption state at seizure decided

Two identical metal cases on a table, one open and empty, one shut
By Noam Alum · ·Security news · 6 min read Mitigate now

Two devices went into Russian custody on the same May morning in 2021. One was read end to end. The other gave its captors nothing. The locked iPhone 12 belonging to opposition organizer Andrey Pivovarov was extracted with a commercial forensic kit. The MacBook seized beside it held, because its disk was encrypted and no one had the password. That split is the part worth your attention, more than the headline that a sanctioned tool was used anyway.

The disclosure is fresh even though the event is not. Citizen Lab published its forensic attribution on June 25, 2026, documenting an extraction that ran nearly five years earlier. It lands now because it pins down two things that rarely sit side by side: traces left on the hardware itself and the seizing government's own paperwork naming the tools it used.

What Citizen Lab documented

Russian security services detained Pivovarov at a St. Petersburg airport on May 31, 2021, and an iPhone 12 and a MacBook went into custody with him. Just over two weeks later, on June 17, examiners pointed Cellebrite's UFED Physical Analyzer and UFED 4PC at the phone. Out came chat histories from WhatsApp, Telegram, and Viber, plus the search terms the operators ran: the names of people in his circle, his partner among them. That contact graph became raw material for who got targeted next.

Pinning a years-old job on one vendor took two records that happened to agree. The phone itself had kept a log of the trusted machine it was wired to that day, and the host's fingerprint matched equipment the researchers had earlier linked to Cellebrite. Then the prosecution entered its own evidence: a forensic report, number 1269-17, produced inside Russia's Interior Ministry, that lists the UFED products outright. The laptop went the other way. Its disk encryption did not budge, the password never turned up, and the extraction came back empty.

From sales cutoff to extraction: a tool that kept working offlineMar 2021: Cellebrite says it stopped selling to Russia and Belarus. May 31, 2021: Pivovarov detained, iPhone 12 and MacBook seized. Jun 17, 2021: UFED extraction runs against the locked iPhone. Jun 25, 2026: Citizen Lab publishes the forensic attribution.From sales cutoff to extraction: a tool that kept working offlineMar 2021Cellebrite saysit stoppedMay 31, 2021Pivovarovdetained, iPhoneJun 17, 2021UFED extractionruns against theJun 25, 2026Citizen Labpublishes the
Source: Citizen Lab, June 25, 2026; The Hacker News; Security Affairs.

The timing is the part the headlines fixed on. Cellebrite had announced back in March 2021 that it was done selling into Russia and Belarus, yet the extraction ran about three months after that line was drawn. The company's answer to reporters: any use past the cutoff was never authorized, its equipment runs with no assistance or approval from the vendor, and kit this old would be useless against a current phone anyway. Grant every word of that and the lesson for defenders gets sharper, not softer.

Why the laptop won and the phone did not

Strip away the geopolitics and you are left with a clean controlled experiment. Same owner, same seizure, same operators, two opposite outcomes. The variable that decided it was the state of encryption at the moment each device was taken.

A modern phone or laptop is always encrypted on disk, but the keys that turn that storage back into readable data are only present once someone has signed in to the device since it booted. A machine that is powered off, or freshly rebooted and never signed in to, keeps those keys nowhere an attacker can reach; brute force against a long passphrase is the only road, and it usually dead-ends. A device merely locked after normal use is a softer target, because the keys are already resident in memory and a forensic tool's job shrinks to reaching them. The MacBook behaved like the first case. The phone, whatever its precise state when grabbed, behaved like something a tool could still get into.

That is the single most useful variable a defender actually controls, and it is deliberately boring. Full-disk encryption with a long passphrase, on a device that is genuinely powered down before it can be seized, is what turned the laptop into a brick for the operator. The flip side is how little physical access a phone needs to surrender the rest: that unpatchable iPhone bootrom flaw is the same problem approached from the hardware end, and no software update closes it.

"We stopped selling it" was never a control

Citizen Lab's blunt point is the one to carry into a risk review. A UFED unit goes on doing its job offline for years after the vendor walks away from it, so the real exposure was never the next sale on the order book. It was every unit already parked in a police or intelligence office, needing nothing from Cellebrite to keep running. A sales ban does not reach into the room and switch off the boxes already there.

Security teams repeat that mistake in quieter forms. A revoked vendor license, a "deprovisioned" integration, a partner relationship wound down on paper: none of those revoke a capability that has already been delegated and runs without a live connection. The Cellebrite case is the dramatic version of a connected app that still holds a valid token, or a credential that outlives the crew that stole it. When police seized the malware behind one mass-theft operation, the stolen passwords still worked. When Washington export-controlled an AI bug-finding system, the copies already in circulation did not evaporate. Decommissioning is a paperwork event. Revocation is a technical one, and only the second changes what an adversary can do tonight.

Harden the devices that can be taken from your staff

Start from the assumption this case proves: any device that leaves your physical control should be treated as extracted, not as safely locked. Plan for the data on it being read, then work backward to limit what that costs you.

  • Power off before the risk, not after. For staff crossing hostile borders or facing detention, a fully shut-down device keeps its keys out of memory. A lock screen on a device that has been used and not rebooted does not.

  • Use a passphrase, not a short PIN. Full-disk encryption only buys time if the secret behind it resists brute force. A six-digit code or a biometric-only sign-in leaves the device in the reachable state the iPhone was likely in.

  • Turn on Lockdown Mode for high-risk users. Apple's hardened profile, and equivalent restrictions on other platforms, narrows what a wired forensic tool can talk to on a locked device.

  • Audit pairing and USB trust. The same pairing records that convicted this extraction are a detection surface. Knowing whether a returned device was ever connected to an unknown host is a question you can answer.

  • Compartmentalize the contact graph. The phone's value here was less the messages than the names. Limit what a single seized device can expose about everyone the owner knows.

The uncomfortable takeaway is that the controls that worked were unglamorous and already available in 2021. Encryption you already own, a shutdown you can do at a checkpoint, and a passphrase long enough to mean it. The activist's laptop survived a state forensic lab not because of anything exotic, but because the boring defaults were set correctly and the device was off. Set them correctly on the devices your people carry into places you cannot reach, and assume the rest will be read.

Topics
Takedowns & law enforcement

Frequently asked questions

What is Cellebrite UFED?

Cellebrite UFED is a commercial mobile-forensics platform that extracts data from seized phones and other devices.

Law enforcement and intelligence agencies use it to recover messages, contacts, and files. In this case operators used the UFED Physical Analyzer and UFED 4PC products against a locked iPhone 12.

Did Cellebrite authorize the use against the Russian activist?

No. Cellebrite said any use after its March 2021 decision to stop selling to Russia and Belarus was unauthorized.

The company said the hardware runs without its support or consent. Citizen Lab's point is that offline tools keep working regardless, so a sales cutoff does not recall what is already deployed.

Why did the MacBook resist extraction but the iPhone did not?

The MacBook's full-disk encryption held because the authorities never had the password and could not brute-force it.

The locked iPhone was still reachable to the forensic tool. The deciding factor is whether a device's encryption keys are resident in memory, which depends on its state when it was seized.

Does turning a phone fully off protect it from forensic extraction?

Powering a device fully off helps because it clears the encryption keys from memory, forcing an attacker to brute-force the passphrase.

A device merely locked after use keeps those keys resident, which is the softer state forensic tools target. A long passphrase rather than a short PIN matters too.

How was the extraction traced to Cellebrite five years later?

Citizen Lab used two independent records: the phone's USB pairing logs and the Russian government's own forensic report.

The pairing records showed a June 17, 2021 connection to a host fingerprint attributed to Cellebrite, and Forensic Expert Report No. 1269-17 named the UFED products directly.

Keep reading
Security news

Hotels are running malware on a legitimate Node.js runtime, and that beats allowlisting

TonRAT runs on a genuine Node.js runtime on hotel front-desk machines, hides its C2 on the TON blockchain, and slips past allowlists. Here is what to hunt.

Suriq's Jack · Jun 28, 2026
Security news

Linux's newest root exploits rewrite /bin/su in memory and leave the file clean

DirtyClone and pedit COW are the latest in a family of Linux kernel root bugs that rewrite binaries in memory, invisible to file-integrity monitoring.

Suriq's Jack · Jun 28, 2026
Security news

A rigged 7-Zip archive can erase the Windows warning on downloaded files, and there is no fix yet

A crafted RAR5 archive lets 7-Zip 26.02 strip the Mark-of-the-Web, defeating Windows SmartScreen warnings. No patch exists yet. Here is what defenders should

Noam Alum · Jun 28, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Get Access Meet the clan