CEO of the secure messaging app Signal has hacked a phone unlock device manufactured by Cellebrite, revealing critical vulnerabilities that could be used against police investigators.
Cellebrite is a digital forensic company that produces tools and resources to unlock devices like the iPhone. He famously sells his hacking devices to government and police agencies for investigative uses, and even to U.S. public school districts.
On Wednesday, Signal founder Moxie Marlinspike reported several vulnerabilities in pirated hardware that could be used to run malicious code on a machine that was used to scan an unlocked device. In the real world, it would probably be a police or government search engine.
Beyond that, Marlinspike said there are “virtually no limits” to the type of malicious code that could be executed using the vulnerabilities.
For example, by including a specially formatted but harmless file in an application on a device that Cellebrite scans, you can run code that modifies not only the Cellebrite report that is created in this scan, but also all previous and future generated Cellebrite Reports of all previously scanned devices and all future devices scanned arbitrarily (insertion or deletion of text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or crashes. the checksum. This could even be done at random and would call into question the data integrity of Cellebrite reports.
Marlinspike explains that the Cellebrite hacking device should analyze all types of data that are not trusted on the iPhone or any other device being analyzed. He notes that, after further investigation, “it appears that very little care has been taken in the security of Cellebrite software.”
The founder of Signal points out that industry standard measures to mitigate malware are missing. This allows for “many opportunities” for exploitation. For example, the Cellebrite system uses Windows audio / video conversion software that was released in 2012. Since then, the software has been updated with more than 100 security fixes, none of which are included in the Cellebrite products.
Also interesting is a couple of MSI to Physical Analyzer installation packages digitally signed by Apple. Marlinspike suggests that the packages, which implement functionality between iTunes and iOS, have been removed from the Windows installer for version 12.9.0.167 of iTunes. Apple is unlikely to grant Cellebrite a license to use the software, which means its deployment could cause legal issues along the way.
There are additional details about Cellebrite device piracy products. For example, the company provides two software packages: UFED, which breaks down encryption to collect deleted or hidden data, and Physical Analyzer, which detects “event tracking” for the collection of digital evidence.
For users concerned about Cellebrite’s ability to get into iPhone devices, Marlinspike notes that the company’s products require physical access. That is, they do not perform remote monitoring or data interception.
As for how Marlinspike got a Cellebrite device, he says he got it in a “really amazing match.” As I was walking one day, he “saw a small package fall from a truck in front of me.” That package apparently contained “the latest versions of Cellebrite software, a hardware dongle designed to prevent piracy … and a strangely large number of cable adapters.”
It’s worth noting that Marlinspike and his team posted details about Cellebrite’s vulnerabilities outside the realm of responsible disclosure. In that note, he said his team would be willing to share details of the vulnerabilities if Cellebrite shares the steps they use to hack iPhones.
“Of course, we are willing to responsibly disclose the specific vulnerabilities we know about Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective providers, now and in the future,” he said. write Marlinspike.
In a seemingly vaguely intended last paragraph, Marlinspike writes that future versions of Signal will include files that “are never used for anything within Signal and never interact with Signal software or data.”
He added that the files “look nice and aesthetics are important in the software.” But given the blatant nature of some of the other content in the blog post, there is a possibility that the files could be a mitigation mechanism to frustrate Cellebrite’s unlock tools in the future. Cellebrite recently announced support for displaying signal data from an unlocked device.
It’s not the first time Cellebrite has had a security incident. In 2017, the company’s servers were hacked, leading to the leaking of data and technical files about its products. Also, while Cellebrite only sells its tools to law enforcement and other government agencies, 2019 reports indicate that Cellebrite devices were sold on eBay.