CSI Stick grabs data from cell phones

This guest post is from Marc Weber Tobias, an attorney and physical security specialist.

If someone asks to borrow your cell phone, or you leave it unattended, beware!

Unless you actually watch them use it, they may be secretly grabbing every piece of your information on the device, even deleted messages. If you leave your phone sitting on your desk, or in the center console of your car while the valet parks it, then you and everyone in your contacts list may be at risk, to say nothing of confidential e-mails, spread sheets, or other information. And of course, if you do not want your spouse to see who you are chatting with on your phone, you might want to use extra caution.

Paraben's CSI Stick can be used to make a copy of all data on a cell phone.

(Credit: Marc Weber Tobias)

There is a new electronic capture device that has been developed primarily for law enforcement, surveillance, and intelligence operations that is also available to the public. It is called the Cellular Seizure Investigation Stick, or CSI Stick as a clever acronym. It is manufactured by a company called Paraben, and is a self-contained module about the size of a BIC lighter. It plugs directly into most Motorola and Samsung cell phones to capture all data that they contain. More phones will be added to the list, including many from Nokia, RIM, LG and others, in the next generation, to be released shortly.

I recently attended and lectured at the Techno-Security conference in Myrtle Beach, Fla. About 1,500 law enforcement and security professionals participated and were briefed on the latest in cybersecurity vulnerabilities from participating federal agents, manufacturers, and cyber-consultants. The CSI Stick caught my attention because of the potential to rapidly and covertly download all of the information contained in many cell phones.

This device connects to the data/charging port and will seamlessly grab e-mails, instant messages, dialed numbers, phone books and anything else that is stored in memory. It will even retrieve deleted files that have not been overwritten. And there is no trace whatsoever that the information has been compromised, nor any risk of corruption. This may be especially troublesome for corporate employees and those that work for government agencies.

The good news: the device should find wide acceptance by parents who want to monitor what their kids are doing with their phones, who they are talking to and text messaging, and where they are surfing. It could also be valuable in secure areas where employees need to be randomly monitored to insure that sensitive information is not compromised through the use of a cell phone as a memory device.

The CSI Stick sells for $200 and requires an added piece of software to mine the data and do sophisticated processing on your computer. So now, in addition to worrying about your conversations or data being intercepted through your Bluetooth headset, there is a new threat, and it is very real.

The rule: if your phone contains sensitive data, do not leave it unattended. If you loan it to someone to use because they tell you theirs is not working, make sure you actually see them using the phone and there is nothing connected to it.

(Credit: Marc Weber Tobias)

[terminalblue]

i want one. now.

[fokkwp]

Obvious question: does it work if the cell phone has a power-up password?

[Ynegussie]

No it doesn't. I had the same question myself, and I emailed their tech support. They said,it doesn't work on locked or password protected phones.

[anti_jinks]

how about glued up data ports like the USB security? lol

[ferretboy88]

Or a plug in lock that goes on the phone.

[Fire Balls]

So how long until cell phone companies add security to their phones that make this imposable? like password protected only data connections. don't know the password you can't make a connection via a data port.

[loose_screw]

Would usage of this device without the cell phone owner's permission constitute theft? Do the authorities need to get a warrant to use it?

[Lerianis]

Yes, they do need a warrant to use this thing, unless you are stupid enough to actually hand the phone to them and they have clearly identified themselves as law enforcement officers.

[JRHelgeson]

Uh, Tobias, we were at Myrtle Beach in South Carolina... not Florida. Myrtle Beach is also where you gave the sneak peek on picking Medeco locks that you spoke about at DefCon. I must agree though that the Paraben device is pretty cool. If anyone else is interested in learning more about Paraben or their equally intriguing CEO, they're having some sort of shin-dig coming up in Park City, UT coming up. I recall getting an email from them. Why is it that Utah seems to be a technology center for forensics? Rather odd, I say.

[hassan_bin_sober]

I am going to develop a product that detects any device like this and detonates the 10 grams of C4 packed in the phone!

[[RR]Macavity]

Never mind the C4, dude. Black IC is where it's at:

*snoop plugs CSI stick into phone*

Phone: "WARNING: UNAUTHORIZED MEMORY ACCESS DETECTED. INTRUSION COUNTERMEASURES ACTIVATED."

Snoop: Huh? What?

*CSI stick glows briefly as the phone drains the battery into the CSI stick, frying it*

Snoop: Oh, [expletive].

[ferretboy88]

I never thought using a phone as a computer or pda was a good idea. Its way too easy to lose them and have the info taken.

[paraben]

This product simply does not work on the phones they advertise. They are FANTASTIC at marketing! Do not drink the koolaide. The review above is pitiful and contains NO technical content.