Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns
from the distinct-lack-of-'what-if-this-feel-into-the-wrong-hands'-thinking-by-Ce dept
A pretty hilarious turn of events has led to Cellebrite’s phone hacking tech being hacked by Signal’s Moxie Marlinspike, revealing the tech law enforcement uses to pull data from seized phones is host to major security flaws.
According to Marlinspike, the Cellebrite came into his possession thanks to some careless package handling.
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
This must be what actually happened. I mean, there’s a photo of a Cellebrite lying on the street. That should end any senseless law enforcement speculation about this device’s origin story.
The fun starts immediately, with Marlinspike finding all sorts of things wrong with Cellebrite’s own device security. This would seem to be a crucial aspect considering Cellebrite performs raw extractions of unvetted data from seized phones, which could result in the forced delivery of malware residing on the target device. But that doesn’t appear to concern Cellebrite, which seems to feel its products will remain unmolested because they’re only sold to government agencies.
Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.
Just one example of this carelessness is unpatched DLLs residing in the Cellebrite system software. One DLL used to handle extracted video content hasn’t been updated since 2012, ignoring more than 100 patches that have been made available since then.
This means it wouldn’t be much of a hassle to target Cellebrite devices with code that could corrupt not only the current data extraction but also the results of every previous extraction performed by that device.
[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
That’s a major problem because phone extractions are performed to secure evidence to use in criminal cases. If law enforcement agencies can’t trust the data they’ve extracted or rely on the reports generated by Cellebrite to perform searches, they’re going to find their evidence tossed or impossible to submit in the first place.
Further inspection of Cellebrite’s software also shows the company has ported over chunks of Apple’s proprietary code intact and is using it to assist in iPhone extractions. Presumably, Cellebrite hasn’t obtained a license from Apple to use this code in its devices (and redistribute the code with every device sold), so perhaps we’ll be hearing something from Apple’s lawyers in the near future.
This table-turning was likely provoked by Cellebrite’s incredibly questionable claim it had “cracked” Signal’s encryption. Instead, as more information came out — including its use in criminal cases — it became clear Cellebrite did nothing more than anyone could do with an unlocked phone: open up the Signal app and obtain the content of those messages.
Fortunately for everyone not currently working for Cellebrite, a delivery incident occurred and a phone-hacking device was impacted. Signal isn’t worried that Cellebrite can break its encryption. In fact, it doesn’t appear to be worried at all. This examination of Cellebrite hacking tools will only result in a small cosmetic refresh for Signal.
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. […] We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
Maybe this will force Cellebrite to care a bit more deeply about its security and the security of its customers. Or maybe it will brute force its way past this, assuming its customers still have that “our word against yours” thing that tends to work pretty well in court. But it’s not the only player in the phone-cracking field. So it might want to step its security game up a bit. Or at least stop picking fights with encrypted services.