After cellphone hacking company Cellebrite said it figured out a way to access the secure messaging app Signal, Signal said in a blog post that it turned the tables. The app’s creator, Moxie Marlinspike, claimed his team bought the hack kit from Cellebrite and discovered several vulnerabilities. He then suggested that Signal will update the app to hinder law enforcement attempts to hack it.
Cellebrite sells a series of “data analysis devices” called UFED that allow law enforcement officers to hack into iOS or Android phones and extract message logs, call records, photos and other data. The app was most famously used by the FBI to unlock the San Bernardino shooter ‘s iPhone in 2016-17, reportedly paying up to $ 900,000 for the tools.
Marlinspike managed to get his hands on a Cellebrite UFED, complete with the software and hardware dongle, jokingly about falling off a truck while out for a walk. (Older versions of the devices have appeared on eBay and other sites in the past.)
He noted that it used a number of old and obsolete DLLs, including a 2012 version of FFmpeg and MSI Windows installation packages for Apple’s iTunes program. “Looking at both the UFED and the Physical Analyzer, we were surprised to find that very little care appears to have been taken in the own software security, ”he wrote.
Signal’s team found that by including “specially formatted but otherwise harmless files in an app on a device” scanned by Cellebrite, it could run code that modifies the UFED report. For example, it can potentially insert or delete text, email, photos, contacts and other data without leaving a trace of the manipulation.
In a tweet (above), Signal demonstrated the hack in action, with the UFED parsing a file formatted to run code and display a benign message. However, the company said that “a real exploit payload would likely attempt to undetectably modify previous reports, compromise the integrity of future reports, or exfiltrate data from the Cellebrite machine.” Marlinspike then suggested that it could install such code in Signal to prevent future attempts at Cellebrite extraction by law enforcement officials.
Signal released details of the alleged Cellebrite vulnerabilities without giving the company a warning, but said it would change course if Cellebrite were to reciprocate. “We are of course willing to responsibly disclose the specific vulnerabilities we know to Cellebrite if they do the same for any vulnerabilities they use in their physical extraction and other services to their respective vendors now and in the future.”
Cellebrite told Ars Technica that it is “committed to protecting the integrity of our customers’ data, and we constantly monitor and update our software to equip our customers with the best digital intelligence solutions available.” Signal’s claims should be treated with some skepticism without seeing more details about the hack, along with confirmation from other security experts.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we can earn an affiliate commission.