Israeli digital intelligence firm Cellebrite sells software designed to unlock phones and extract data from them. As a result, their products are one of the favorites of U.S. law enforcement and police agencies use them frequently to collect evidence of confiscated devices. In the past, the company has received criticism for its willingness to sell to almost any government, including repressive regimes around the world. However, despite its mission to compromise phone security everywhere, Cellebrite seems to have little interest in securing its own software, if you believe it is the CEO of the Encrypted Chat application Signal.
In a blog post released Wednesday, Moxie Marlinspike claimed that Cellebrite software has atrocious security that can be easily manipulated in quite surprising ways.
“We were surprised to see that very little attention has been paid to the security of Cellebrite software. Industry standard exploitation mitigation defenses are lacking and there are many exploitation opportunities, “Marlinspike writes.” Until Cellebrite is able to accurately repair all vulnerabilities in its software with very high confidence, the only the remedy a Cellebrite user has is not to scan devices “.
Among many wild claims being made on the blog, Marlinspike says that due to security flaws, someone could basically rewrite all the data that Cellebrite tools collect. Hypothetically, a single configuration file could be introduced into any application on a specific device, allowing all the data to be altered. or it will be collected by Cellebrite software.
This file could alter the data “arbitrarily (insert or delete text, email, photos, contacts, files or any other data), without detectable timestamp changes or checksum errors,” the blog states. Keep on:
“Given the number of opportunities present, we’ve found that it’s possible to run arbitrary code on a Cellebrite machine simply by including a specially formatted, but otherwise harmless, file in any application on a device that later connects to Cellebrite and s There are virtually no limits to the code that can be run “.
G / O Media may receive a commission
The blog even includes a video, spliced with scenes from the movie Hackers, which shows how easily Cellebrite software can be hijacked:
In addition, the blog makes another rather bold statement: Apple’s seemingly intellectual property code appears within Cellebrite’s software, which Marlinspike says “could pose a legal risk to Cellebrite and its users.” . In other words, Cellebrite could sell code that belongs to its biggest opponent.
If all of these disclosures are true, it could have pretty massive ramifications for Cellebrite. If we can assume that it is so easy for someone to enter the company’s software and drastically modify the data collected by the police, how safe can law enforcement be that the evidence they collect is really correct? What would be the legal consequences for cases that have depended on Cellebrite software, if their security is really so weak? Anyone who has been involved in a case that has used this software should probably call their attorney right now.
The fact that Marlinspike has very publicly overcome these security concerns — and has done so without first revealing to Cellebrite, as is the industry’s standard practice — could definitely be defined as a beating, if not a totally backward slap. It’s hard not to read all of this as a sort of retort to Cellebrite’s recent claims can break Signal cipher“Surely a statement that stuck to Marlinspike’s capture.” To top it off, the CEO of Signal really ends the blog by making it look like Signal wants to spam Cellebrite with some kind of files adjacent to malware in the future:
In completely unrelated news, future versions of Signal will periodically retrieve files for placement in the app’s storage. These files are never used for anything within Signal and never interact with Signal software or data, but they look nice and aesthetics are important in the software … We have a few different versions of files that we believe that they are aesthetically pleasing and that they will iterate through these slowly over time. There is no other importance in these files.
Shots fired, indeed. We have contacted Cellebrite for feedback and will update this story if we receive news.
UPDATE, 6:50 p.m., Wednesday, April 21st: In response to the request for comment, a Cellebrite spokesperson sent us the following statement:
Cellebrite enables clients to protect and save lives, expedite justice, and preserve privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers can use our technology and are not sold in countries subject to sanctions by the US, Israel or the international community at large. Cellebrite is committed to protecting the integrity of our customers’ data and we continually audit and update our software to provide our customers with the best digital intelligence solutions available.