The CEO of the secure messaging application Signal broke a phone unlock device made by Cellebrite, revealing critical vulnerabilities that could be used against police investigators.
Cellebrite is a digital forensics company that produces tools and resources to unlock devices like the iPhone. He famously sells his hacking devices to government and law enforcement agencies for investigation and even public school districts in the United States.
On Wednesday, Signal founder Moxie Marlinspike reported several vulnerabilities in hacking hardware that could be used to run malicious code on a machine used to scan an unlocked device. In the real world, it would most likely be a police or government investigation machine.
Moreover, Marlinspike said that “there are virtually no limits” to the type of malicious code that could be executed using vulnerabilities.
For example, by including a specially formatted but otherwise harmless file in an application on a device that is then scanned by Cellebrite, you can run code that modifies not only the Cellebrite report that is created in that scan, but also all generations. past and future Cellebrite Reports on all previously scanned devices and all future scanned devices in any arbitrary manner (inserting or deleting text, email, photos, contacts, files, or any other data) without detectable timestamp changes or errors of checksums. This could be done at random and would seriously call into question the integrity of the data in Cellebrite’s reports.
Marlinspike explains that the Cellebrite hacking device must analyze all types of trusted data on the iPhone or other analyzed device. He notes that, after further investigation, “it appears that very little attention was paid to Cellebrite’s software security.”
The founder of Signal points out that there is a lack of industry standard measures to mitigate malware. This allows for “many opportunities” for exploitation. For example, the Cellebrite system uses Windows audio / video conversion software released in 2012. Since then, the software has been updated with over 100 security fixes – none of which are included in Cellebrite products.
Also of interest is a pair of MSI installation packages in Physical Analyzer that are digitally signed by Apple. Marlinspike suggests that the packages, which implement functionality between iTunes and iOS, have been extracted from the Windows installer for iTunes version 12.9.0.167. It is unlikely that Apple has granted Cellebrite a license to use the software, which means that its development could cause legal issues along the way.
There are additional details about hacking products for Cellebrite devices. For example, the company offers two software packages: UFED, which goes through encryption to collect deleted or hidden data, and Physical Analyzer, which detects “tracking events” to collect digital evidence.
For users concerned about Cellebrite’s ability to access iPhone devices, Marlinspike points out that the company’s products require physical access. In other words, they do not remotely monitor or intercept data.
As for how Marlinspike managed to get a Cellebrite device, he says he got it in a “truly incredible coincidence.” As he was walking one day, “he saw a small package falling from a truck in front of me.” The package contained “the latest versions of Cellebrite software, a hardware dongle designed to prevent piracy … and a bizarrely large number of cable adapters.”
It is worth noting that Marlinspike and his team have published details of Cellebrite’s vulnerabilities outside the responsible information sphere. In that note, he said his team would be willing to share details about vulnerabilities if Cellebrite shares the exploits they use to hack iPhones.
“We are, of course, willing to responsibly disclose the specific vulnerabilities we know about Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective providers, now and in the future,” he said. wrote Marlinspike.
In a seemingly vague, intentional last paragraph, Marlinspike writes that future versions of Signal will include files that “are never used for anything in Signal and never interact with Signal software or data.”
He added that the files “look beautiful and the aesthetics are important in the software”. But given the language nature of some of the other content in the blog post, chances are the files may be a mitigation mechanism to prevent Cellebrite unlocking tools in the future. Cellebrite recently announced support for displaying signal data from an unlocked device.
This is not the first time Cellebrite has had a security incident. In 2017, the company’s servers were broken, which led to leakage of data and technical files about its products. In addition, although Cellebrite only sells its tools to law enforcement and other government agencies, 2019 reports indicated that Cellebrite devices were sold on eBay.