ATO will continue to use Cellebrite tools

The Australian Taxation Office has not stepped back from its use of phone cracking tools, saying it will continue to use Cellebrite forensic software.
Written by Chris Duckett, Contributor

The Australian Taxation Office (ATO) has said it will continue to use forensic software provided by Cellebrite to support criminal investigations, and has sought to downplay fears that it has been remotely accessing handsets.

"The ATO does not monitor taxpayers' mobile phones or remotely access their mobile devices," it said in a statement.

The ATO made its declaration in response to an ABC story that revealed a tax office employee had published an internal document that provided instructions on how to access data within a handset.

Punishment for the employee who published the document to LinkedIn was to be reminded of their responsibilities as a public employee, the ABC said.

In its defence, the ATO said any access to mobiles or laptops is completed after gaining a court-ordered warrant, and is conducted legally.

"It is not correct to refer to it as 'hacking'," the ATO said on Wednesday. "Any use of software that may bypass the security lock of a phone is conducted with the relevant legislative approval (primarily section 3E of the Crimes Act) or following written consent from the owner of the device.

"We will continue to work with other enforcement agencies in supporting criminal investigations, including through use of Universal Forensic Extraction software."

In December, ZDNet published a Cellebrite phone extraction report. A month later, the Isreali firm ironically confirmed a breach of its servers.

Later on Wednesday, the ATO said that following its IT annus horribilis, it would not be imposing penalties for late lodgement of 2015-16 income tax returns and activity statements due from December 2016, provided they were lodged by August 31.

"These arrangements will be put in place automatically -- tax practitioners, their clients, and other taxpayers do not need to contact the ATO," it said.

The series of outages at the ATO has not finished, with the agency saying there will be "minimal disruption" as issues noted in its report into the December 2016 SAN failure are fixed.

The report said it could not handle more than one drive or cage failure thanks to a design decision taken by HPE, which owned and operated it. An analysis of logs from the six months before the incident also showed a number of alerts indicating problems with the SAN that were not addressed.

"Since May 2016, at least 77 events related to components that were observed to fail in the December 2016 incident were logged in our incident resolution tool," the ATO said.

"We were not made fully aware of the significance of the continuing trend of alerts, nor the broader systems impacts that would result from the failure of the 3PAR SAN."

The exact root cause for the outage is pending a report from HPE due to arrive in late 2017; however, the report placed blame on the degradation of a number of fibre optic cables used within the SAN.

Most damning, though, was HPE's lack of preparation for an event of the kind experienced by the ATO in December.

"Recovery procedures for applications in the event of a complete SAN outage had not been defined or tested by HPE," the ATO said.

As a result of the incidents, the ATO has rebuilt its storage solution with a new 3PAR, and once data from the existing 3PAR SAN is transferred, it will be decommissioned in July for forensic analysis.

Last week, the ATO suffered another outage, but this time laid the blame with needing to reboot its mainframe.

"This was caused by applications running incorrectly," the ATO said at the time.

Editorial standards