For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world enter confiscated cell phones, primarily by exploiting vulnerabilities that have been overlooked by device manufacturers. Now, Moxie Marlinspike – the creator of the messaging app Signal – has transformed Cellebrite.
On Wednesday, Marlinspike released a post reporting vulnerabilities in Cellebrite software that allowed it to execute malicious code on the Windows computer used to scan devices. The researcher and software engineer exploited the vulnerabilities by uploading specially formatted files that can be embedded in any application installed on the device.
There are practically no limits
“There are virtually no limits to the code that can be executed,” Marlinspike wrote.
He continued:
For example, by including a specially formatted but otherwise harmless file in an application on a device that is then scanned by Cellebrite, you can run code that modifies not only the Cellebrite report that is created in that scan, but also all generations. past and future Cellebrite Reports on all previously scanned devices and all future scanned devices in any arbitrary manner (inserting or deleting text, email, photos, contacts, files, or any other data) without detectable timestamp changes or errors of checksums. This could be done at random and would seriously call into question the integrity of the data in Cellebrite’s reports.
Cellebrite offers two software packages: UFED breaks through locks and encryption protections to collect deleted or hidden data, and a separate Physical Analyzer detects digital evidence (“tracking events”).
In order to do its job, both components of the Cellebrite software must analyze all sorts of reliable data stored on the analyzed device. Typically, software that is so promiscuous undergoes all sorts of security enhancements to detect and fix memory corruption or vulnerability analysis that could allow hackers to execute malicious code.
“However, looking at both UFED and the Physical Analyzer, we were surprised to find that very little attention was paid to Cellebrite’s software security,” Marlinspike wrote. “There is a lack of standard means of protection for the exploitation of exploitation and there are many opportunities for exploitation.”
Compromised integrity
An example of this lack of reinforcement was the inclusion of Windows DLLs for audio / video conversion software known as FFmpeg. The software was built in 2012 and has not been updated since. Marlinspike said that over the next nine years, FFmpeg has received more than 100 security updates. None of these fixes are included in the FFmpeg software included in Cellebrite products.
Marlinspike included a video showing UFED as it scans a file it has formatted to execute arbitrary code on the Windows device. The payload uses the Windows MessageBox API to display a benign message, but Marlinspike said that “it is possible to execute any code, and a real payload would probably seek to undetectly modify previous reports, compromising the integrity of future reports. (maybe random!), or filter data from your Cellebrite. ”
Marlinspike said he also found two MSI installation packages that are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes. Marlinspike wondered if the inclusion was an infringement of Apple’s copyright. Apple did not immediately provide a comment when asked about this.
In an e-mail, a Cellebrite representative wrote: “Cellebrite is committed to protecting the integrity of our customer data and we continually audit and update our software to provide customers with the best digital intelligence solutions available.” The representative did not say if the company’s engineers were aware of the detailed vulnerabilities of Marlinspike or if the company was allowed to deliver Apple software.
Marlinspike said he obtained the Cellebrite equipment in a “truly incredible coincidence” as he walked and “saw a small package falling from a truck in front of me.” The incident seems truly unbelievable. Marlinspike declined to provide further details on exactly how he came into possession of the Cellebrite instruments.
The fall line of a truck was not the only statement in the language of the station. Marlinspike also wrote:
In completely unrelated news, future versions of Signal will periodically download files to store in the application. These files are never used for anything in Signal and never interact with Signal software or data, but they look beautiful, and aesthetics are important in software. Files will only be returned for accounts that have been active for some time and only probably in small percentages, based on phone number distribution. We have several different versions of files that we think are aesthetically pleasing and that will repeat them slowly over time. There is no other meaning for these files.
Vulnerabilities could provide feed for defense attorneys to challenge the integrity of forensic reports generated using Cellebrite software. Cellebrite representatives did not respond to an email asking if they were aware of any vulnerabilities or intended to fix them.
“We are, of course, willing to responsibly disclose the specific vulnerabilities we know about Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective providers, now and in the future,” he wrote. Marlinspike.
The post is updated to add the fourth and third to last paragraph and to add comments from Cellebrite.