Major Australian government agencies, including the Department of Immigration, are buying off-the-shelf phone hacking tools that can extract data from mobile phones, according to a UK-based vendor.
Fairfax Media revealed in June various government departments and agencies, including Centrelink, the Department of Employment and the ATO were using phone-hacking technology developed by Israeli security company, Cellebrite.
Is your phone secure?
In the age of phishing and hacking, here are three steps to help you become a cybersecurity expert.
But Fone Fun Shop owner Mark Strachan said he also sold these commonly available phone hacking devices to the Australian Border Force and Australian Federal Police, as well as the general public in Australia.
Fun Fone Shop was mentioned in an internal how-to guide on phone hacking published by an ATO employee on LinkedIn. The retailer is a UK-based phone repairer.
Several Australian government agencies have admitted to using Cellebrite. But the use of the other devices sold by Fone Fun Shop suggests the agencies are using a much wider range of phone hacking tools than previously believed.
A Department of Immigration and Border Protection spokeswoman confirmed it had made a purchase from the UK store.
"The department uses a range of commercial hardware and software products. It made a one-off purchase from this vendor in 2015 of less than $1000AUD," the spokeswoman said.
Do you know more? Get in touch via finbar.omallon@fairfaxmedia.com.au or using the app Signal on your smart phone via +61 437 464 126.
The tools sold by Fone Fun can be purchased off eBay or other online vendors for prices ranging between $100 and $200. Typically they are used to repair phones or unlock them from phone networks. Users of the phone-hacking devices have to be in physical possession of the phone, or within Bluetooth range for some versions.
"These tools are designed to fix and unlock phones, that's what they're designed for," Mr Strachan said.
Jon Sawyer, an American-based mobile security researcher, said he was staggered to hear Australian government agencies were using such devices to chase criminals.
"My head's kind of spinning here. Why the hell would they even use this? This seems very unprofessional," Mr Sawyer said.
"A lot of [these tools] are basically for fraud, not by everybody; they have legitimate uses."
Mr Sawyer said the devices could also allow thieves to reuse "blacklisted" phones or to extract data stored on the phone.
However, the basic devices fail to extract data as effectively as Cellebrite's Universal Forensic Extraction Device, as they risk corrupting or deleting any information harvested.
"They're not forensically sound. I don't know if you could use one of these and take the evidence to court in the United States," Mr Sawyer said.
Mr Strachan said anyone could access the tools but they were difficult to learn how to use. His company does not provide training in how to use them.
Agencies including the Australian Federal Police, the Department of Defence and the Australian Securities and Investments Commission have previously been confirmed by Fairfax Media to use Cellebrite technology.
Federal Justice Minister Michael Keenan and Opposition Leader Bill Shorten expressed concern on Wednesday that a government produced how-to guide on phone hacking had been published by an ATO employee on a LinkedIn page. The ATO said the technology was never used without a warrant.
The Department of Human Services and the Department of Employment do not use these phone-hacking devices.
The Australian Federal Police was approached for comment.