Israeli digital intelligence Company Cellebrite sells software designed to unlock phones and extract their data. As a result, its products are a favorite of U.S. law enforcement agencies and the police I use them frequently to gather evidence from confiscated devices. In the past, the company has been criticized for its willingness to sell to just about any government repressive regimes around the world. However, despite its mission to compromise phone security everywhere, Cellebrite seems to have little interest in securing its own software – if you think the CEO of the Signal encryption application.
Into the a blog post released on Wednesday, Moxie Marlinspike argued that Cellebrite software has atrocious security that can be easily manipulated in a number of amazing ways.
“We were surprised to find that very little attention was paid to the security of Cellebrite’s own software. There is a lack of standard means of protection for the exploitation of exploitation and there are many opportunities for exploitation “, writes Marlinspike. “Until Cellebrite is able to accurately repair all vulnerabilities in its highly trusted software, the only remedy a Cellebrite user has is not to scan the devices.”
Among the many wild statements made in the blog, Marlinspike says that due to security flaws, someone could re-write all the data collected by Cellebrite tools. Hypothetically, a single configured file could be sneaked into any application on a targeted device – allowing all data that was modified to be modified or will be collected by Cellebrite software.
Such a file could change the data “in any arbitrary way (inserting or deleting text, e-mail, photos, contacts, files or any other data), without detectable timestamp changes or checksum failures,” he says. the blog. Keep going:
“Given the number of opportunities present, we found that it is possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted file, but otherwise harmless, in any application on a device that is subsequently connected to Cellebrite and scanned. There are virtually no limits to the code that can be executed. ”
G / O Media may receive a commission
The blog even includes a video, combined with scenes from the movie hacker, which shows how easily Cellebrite software can be hijacked:
In addition to all this, the blog makes another rather bold statement: the code that is apparently Apple’s intellectual property appears in Cellebrite software – something Marlinspike says “could pose a legal risk to Cellebrite and its users.” In other words, Cellebrite could sell code that belongs to its biggest opponent.
If all these revelations are true, they could have quite massive ramifications for Cellebrite. If we can assume that it is so easy for someone to break into the company’s software and drastically change the data that the police collect, how safe can law enforcement be that the evidence they collect is actually correct? What would be the legal ramifications for the cases that relied on Cellebrite software, if its security is really so inappropriate? Anyone involved in a case that used this software should probably call their lawyer right now.
The fact that Marlinspike has publicly overcome these security concerns – and has done so without prior disclosure to Cellebrite, as is industry standard practice – could certainly be seen as a blow, if not a slap in the face. It’s hard not to read all this as a kind of reply to Cellebrite’s recent statements can crack Signal encryption– Definitely a statement that remained in Marlinspike’s crawl. To top it all off, the CEO of Signal actually ends the blog by making it look like Signal intends to spam Cellebrite with some sort of malware-related files in the future:
In completely unrelated news, future versions of Signal will periodically download files to store in the application. These files are never used for anything in Signal and never interact with Signal software or data, but they look nice, and the aesthetics are important in the software … We have several different versions of files that we think are pleasing in terms of aesthetically and will iterate through those slowly over time. There is no other meaning for these files.
Drawn sutures, indeed. We contacted Cellebrite for comments and we will update this story if we receive answers from them.
UPDATE, 6:50 p.m., Wednesday, April 21: In response to a request for comment, a Cellebrite spokesperson sent us the following statement:
Cellebrite enables customers to protect and save lives, expedite justice and maintain privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers are allowed to use our technology and not sell to countries that are sanctioned by the US, Israel or the wider international community. Cellebrite is committed to protecting the integrity of our customer data and we continually audit and update our software to provide our customers with the best digital intelligence solutions available.