Bangladesh bought spyware from Israel’s Cellebrite

A USB with "Cellebrite" written on it is plugged into a device

Bangladesh reportedly bought surveillance technology from Israeli cyberwarfare company Cellebrite.

Issei Kato Reuters

Bangladesh bought hundreds of thousands of dollars worth of Israeli surveillance technology, documents obtained by the Al Jazeera Investigative Unit and Tel Aviv daily Haaretz revealed on Monday.

The product, called UFED, is made by Israeli cyberwarfare company Cellebrite and is capable of breaching and extracting a massive amount of data from a wide range of devices.

This includes text messages, emails, chats, passwords, location tags and even deleted or hidden data on devices.

Cellebrite previously boasted of its product being used by governments, law enforcement agencies and military intelligence in more than 60 countries.

The reports said it was not clear whether the product was obtained directly through the Israeli company or via a subsidiary. Bangladesh reportedly spent at least $330,000 on the equipment.

Documents also revealed that nine officers from the intelligence wing of the Bangladeshi police were given permission to travel to Singapore in February 2019 for training on how to hack devices using the product.

Al Jazeera said the documents detailed how the training would graduate officers as certified by Cellebrite.

A Bangladeshi paramilitary force called the Rapid Action Battalion was also slated to be trained on the Cellebrite product as part of a project that began in 2019 and is scheduled to end in June this year.

The RAB unit is notorious for abuses including abductions, torture and disappearances.

Bangladesh has no diplomatic or trade relations with Israel. Bangladeshi passports even state that they are “valid for all countries of the world except Israel.”

Helping to “terrorize” communities

Cellebrite was founded in 1999 by Yaron Baratz, Yuval Aflalo, and Avi Yablonka. It was later acquired by Japanese firm Sun Corporation.

Cellebrite tries to distance itself from other Israeli cyberware companies implicated in human rights abuses, particularly spy firm NSO Group.

But Cellebrite is not without its own share of dubious involvements.

Its clients include a wide range of US law enforcement agencies, among them the Immigration and Customs Enforcement agency, ICE, and the FBI.

The American Civil Liberties Union (ACLU) previously accused Cellebrite of “helping ICE further terrorize immigrant communities.”

CNN said Cellebrite has for years been “the go-to resource for FBI agents breaking into suspects’ phones.”

The ACLU says it has received reports of Cellebrite being routinely used by US police forces to unconstitutionally conduct searches of phones without warrants under the pretext of “exigent circumstance[s].”

Additionally, a 2016 joint investigation by the The Intercept and the research group Bahrain Watch found that Cellebrite was used against Bahraini political activist Mohammed al-Singace.

Al-Singace was arrested by the Bahraini military in 2011 and tortured in prison.

The Bahraini government compiled a report against al-Singace for use in court that included conversations from messaging service WhatsApp likely obtained using Cellebrite’s UFED software.

This indicates that the Bahraini government may have been using Israeli spyware against its citizens before it established full diplomatic ties with Israel in September 2020, formalizing more than two decades of clandestine relations.

In 2019, Cellebrite reportedly also provided services to Saudi Arabia, with which Israel has no formal diplomatic relations – though increasingly warm informal ties.

Bangladesh buys Israeli products

This is not the first revelation that the Bangladeshi government is using Israeli malware.

In February, a documentary titled All the Prime Minister’s Men by the Al Jazeera Investigative Unit revealed how Bangladesh secretly bought surveillance equipment from Israeli cyberwarfare company Picsix.

A classified contract obtained by Al Jazeera, dated 26 June 2018, includes a condition that the Israeli company and the Bangladeshi military sign a nondisclosure agreement.

The country of origin is falsified in the contract – stating that the spyware was manufactured in Hungary rather than Israel.

Picsix differs from other malicious software in that it doesn’t rely on vulnerabilities in encrypted programs in order to infect devices.

Instead of breaking into encrypted programs, it glitches them to render them useless and drive users to use non-encrypted programs that can be easily intercepted.

Picsix was founded by former Israeli intelligence experts, according to its website.

It is well-established that Israel’s tech industry has deep ties to and recruits directly from the country’s military and intelligence apparatus.

The Bangladesh military denied buying spyware from Israel and said the equipment referred to in the Al Jazeera documentary was “signal equipment purchased from a Hungarian company for use in UN peacekeeping missions.”

The United Nations refuted that claim.

The equipment identified in the Al Jazeera documentary “has not been deployed with Bangladeshi contingents in UN peacekeeping operations,” said Stéphane Dujarric, the spokesperson for the United Nations secretary-general.


Tamara Nassar

Tamara Nassar is an assistant editor at The Electronic Intifada.