Signal broke the Cellebrite phone hacking software used by law enforcement

After Cellebrite reported that it had found a way to access Signal’s secure messaging app, Signal said in a blog post that it had transformed the tables. The creator of the application Moxie Marlinspike claimed that his team obtained the Cellebrite hacking kit and discovered several vulnerabilities. He then suggested that Signal update the app to prevent any law enforcement attempts to hack it.

Cellebrite sells a suite of “data analytics” called UFED that allows law enforcement to break into iOS or Android phones and retrieve messaging logs, call logs, photos, and other data. The app was the most famous used by the FBI to unlock the iPhone of the San Bernardino shooter in 2016-17, paying up to $ 900,000 for tools.

Marlinspike managed to get a Cellebrite UFED, complete with the software and hardware dongle, joking that he fell off a truck while out for a walk. (Older versions of devices have appeared on eBay and other sites in the past.)

He mentioned that he used some old and outdated DLLs, including a 2012 version of the FFmpeg and MSI Windows installation packages for Apple’s iTunes program. “However, looking at both UFED and Physical Analyzer, we were surprised to find that very little care seemed to be given to Cellebrite. own software security, “he wrote.

The Signal team found that by including “specially formatted but otherwise harmless files in any application on a device” scanned by Cellebrite, it could run code that modifies the UFED report. For example, it could insert or delete text, email, photos, contacts and other data without leaving any traces of manipulation.

In a tweet (above), Signal demonstrated the hack in action, UFED analyzing a formatted file to run the code and display a benign message. However, the company said that “a real payload will probably try to undetectably change previous reports, compromise the integrity of future reports or leak data from the Cellebrite machine.” Marlinspike suggested that he could install such a code in Signal to prevent future attempts to extract Cellebrite by law enforcement.

Signal revealed details of Cellebrite’s alleged vulnerabilities without giving the company any warnings, but said it would change its approach if Cellebrite reciprocated. “We are, of course, willing to responsibly disclose the specific vulnerabilities we know about Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective providers, now and in the future.”

Cellebrite said Ars Technica that “it is committed to protecting the integrity of our customers’ data and we continually audit and update our software to provide our customers with the best digital intelligence solutions available.” Signal’s claims should be treated with some skepticism, without seeing more details about the hack, along with the confirmation of other security experts.

All Engadget recommended products are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.