Full Report
New research from the Citizen Lab has found signs that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident's phone, making it the latest case of abuse of the technology targeting civil society. The interdisciplinary research unit at the University of Toronto's Munk School of Global Affairs & Public
Analysis Summary
# Incident Report: Forensic Extraction of Dissident Device via Cellebrite Technology
## Executive Summary
Kenyan authorities utilized Cellebrite forensic extraction tools to compromise the mobile device of prominent pro-democracy activist Boniface Mwangi while he was in police custody. The incident resulted in the potential full extraction of sensitive personal, financial, and political data, following a broader pattern of commercial forensic tool abuse against civil society. The compromise was confirmed by Citizen Lab researchers after the device was returned to the owner with security features disabled.
## Incident Details
- **Discovery Date:** September 2025 (upon return of device)
- **Incident Date:** July 20 – July 21, 2025
- **Affected Organization:** Device of Boniface Mwangi (Dissident/Presidential Candidate)
- **Sector:** Civil Society / Political
- **Geography:** Kenya
## Timeline of Events
### Initial Access
- **Date/Time:** July 2025
- **Vector:** Physical Seizure / Device Confiscation
- **Details:** The victim was arrested by Kenyan authorities in July 2025, and his Samsung mobile device was seized and held in police custody.
### Lateral Movement
- **N/A:** The attack was a direct forensic extraction of a standalone mobile device rather than a network-based intrusion.
### Data Exfiltration/Impact
- **Details:** Forensic tools were used to bypass the lock screen. Potential exfiltration included all device materials: private messages, personal files, financial information, and stored passwords.
### Detection & Response
- **Detection:** In September 2025, the victim received his phone back and discovered the password protection had been removed.
- **Response Actions:** The device was submitted to Citizen Lab for forensic analysis, which confirmed the use of Cellebrite tools.
## Attack Methodology
- **Initial Access:** Physical access to the device following an arrest.
- **Persistence:** Not applicable; the tool is used for one-time or situational extraction.
- **Privilege Escalation:** Use of Cellebrite software to bypass lock screen security and gain root/administrative access to the file system.
- **Defense Evasion:** Use of specialized forensic hardware/software designed to circumvent standard OS security controls.
- **Credential Access:** Extraction of stored passwords and account tokens from the device's internal storage.
- **Discovery:** Full indexing of the device's file system, including contact lists, call logs, and application data.
- **Lateral Movement:** Not applicable.
- **Collection:** Automated gathering of all sensitive files, media, and communications.
- **Exfiltration:** Data transferred to a local forensic workstation via a physical connection (USB).
- **Impact:** Complete loss of data confidentiality and compromised security posture for the victim.
## Impact Assessment
- **Financial:** Risk of theft due to the extraction of sensitive financial information and passwords.
- **Data Breach:** High; total compromise of all private communications and personal files.
- **Operational:** Disruption of the victim's political campaign and personal safety.
- **Reputational:** Public exposure of the Kenyan government's use of surveillance tools against political dissidents.
## Indicators of Compromise
- **Network Indicators:** N/A (Offline extraction)
- **File Indicators:** Forensic artifacts left by Cellebrite software (specific details typically restricted to investigative labs).
- **Behavioral Indicators:** Device returned to user with lock screen password/PIN disabled or removed.
## Response Actions
- **Containment:** Device was physically isolated after return.
- **Eradication:** Forensic analysis conducted by Citizen Lab to identify the scope of the breach.
- **Recovery:** Public disclosure of the abuse to raise awareness and advocate for policy change.
## Lessons Learned
- **Physical Sovereignty:** Physical possession of a device by hostile actors frequently results in a total compromise, regardless of password strength, when forensic tools like Cellebrite are employed.
- **Policy Gaps:** There is a lack of accountability and transparency regarding the sale and use of "dual-use" forensic technologies by private companies to government agencies with records of human rights abuses.
## Recommendations
- **Device Security:** Utilize "Lockdown" modes if available and ensure devices are powered down (BFU - Before First Unlock) if an arrest is imminent to increase the difficulty of forensic extraction.
- **Data Minimization:** Activists should regularly clear sensitive messages and use disappearing message features on encrypted platforms.
- **Legal Advocacy:** Push for international regulations on the export of commercial forensic and surveillance tools to regimes known for targeting civil society.