For years, Israeli digital forensics company Cellebrite has helped governments and police around the world break into confiscated cell phones, mostly by exploiting vulnerabilities overlooked by device manufacturers. Now Moxie Marlinspike – the creator of the Signal messaging app – has turned Cellebrite’s roles.
On Wednesday, Marlinspike released a message reporting vulnerabilities in Cellebrite software that allowed it to run malicious code on the Windows computer used to analyze devices. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded in any app installed on the device.
Virtually no limits
“There are virtually no limits to the code that can be executed,” Marlinspike wrote.
He went on:
For example, by including a specially formatted but otherwise harmless file in an app on a device that is then scanned by Cellebrite, it is possible to run code that not only modifies the Cellebrite report created in that scan, but also all past and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any way (insertion or deletion of text, email, photos, contacts, files or other data), with no detectable timestamp changes or checksum errors. This could even happen arbitrarily, and would seriously question the data integrity of Cellebrite’s reports.
Cellebrite offers two software packages: The UFED breaks locks and encryption protections to collect deleted or hidden data, and a separate Physical Analyzer discovers digital evidence (“trace events”).
To do their job, both pieces of Cellebrite software must analyze all kinds of untrusted data stored on the device being analyzed. Typically, software this promiscuous undergoes all kinds of security measures to detect and fix memory corruption or parsing problems that allow hackers to run malicious code.
“Looking at both UFED and Physical Analyzer, we were surprised to find that very little care appears to have been taken with Cellebrite’s proprietary software security,” wrote Marlinspike. “Defense mechanisms to limit industry-standard exploits are lacking and there are many opportunities for exploitation.”
Endangering integrity
An example of this lack of hardening was the inclusion of Windows DLL files for audio / video conversion software known as FFmpeg. The software was built in 2012 and has not been updated since. Marlinspike said that FFmpeg has received more than 100 security updates in the intervening nine years. None of these fixes are included in the FFmpeg software included with the Cellebrite products.
Marlinspike included one video that shows UFED parsing a file it has formatted to run arbitrary code on the Windows device. The payload uses the MessageBox Windows API to render a benign message, but Marlinspike said that “it is possible to run any code, and a real exploit payload would probably attempt to undetectably modify previous reports and maintain integrity. of future reports (maybe randomly!), or extract data from the Cellebrite machine.
Marlinspike said he has also found two MSI installer packages digitally signed by Apple that appear to have been extracted from the Windows installer for iTunes. Marlinspike wondered if the recording violates Apple’s copyrights. Apple did not immediately comment when asked.
In an email, a Cellebrite representative wrote, “Cellebrite is committed to protecting the integrity of our customers’ data, and we continuously monitor and update our software to provide our customers with the best digital intelligence solutions available. ” The representative did not say whether the company’s engineers were aware of the vulnerabilities Marlinspike describes or whether the company had permission to bundle Apple software.
Marlinspike said he obtained the Cellebrite equipment in a “really unbelievable coincidence” while walking and “saw a small package fall off a truck in front of me.” The incident seems unbelievable. Marlinspike declined to provide additional details as to exactly how he obtained the Cellebrite tools.
The ‘fall-of-a-truck’ line wasn’t the only ironic statement in the post. Marlinspike also wrote:
In totally unrelated news, upcoming versions of Signal will periodically fetch files to put in app storage. These files are never used for anything within Signal and do not interact with Signal software or data, but they look good and the aesthetics are important in software. Files are only returned for accounts that have been active installations for some time, and probably only at low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and they will slowly repeat these over time. There is no other meaning for these files.
The vulnerabilities could provide defense attorneys with food to challenge the integrity of forensic reports generated using the Cellebrite software. Cellebrite representatives did not respond to an email asking if they were aware of the vulnerabilities or had plans to fix them.
“We are of course willing to responsibly disclose the specific vulnerabilities we know to Cellebrite if they do the same for any vulnerabilities they use in their physical extraction and other services to their respective vendors now and in the future,” Marlinspike wrote.
Updated post to include fourth and third-to-last paragraphs and to include comments from Cellebrite.