The CEO of the secure messaging app Signal has hacked a Cellebrite phone unlock device and revealed critical vulnerabilities that could be used against police investigators.
Cellebrite is a digital forensics company that produces tools and resources to unlock devices such as the iPhone. It famously sells its hacking equipment to the government and law enforcement agencies for investigative purposes, and even public school districts in the US.
On Wednesday, Signal founder Moxie Marlinspike reported several vulnerabilities in the hacking hardware that could be used to run malicious code on a machine used to analyze an unlocked device. In the real world, that would most likely be a police or government investigator’s machine.
In fact, Marlinspike said there are “virtually no limits” to the type of malicious code that can be executed using the vulnerabilities.
For example, by including a specially formatted but otherwise harmless file in an app on a device that is then scanned by Cellebrite, it is possible to run code that not only modifies the Cellebrite report created in that scan, but also all past and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any way (insertion or deletion of text, email, photos, contacts, files or other data), with no detectable timestamp changes or checksum errors. This could even happen arbitrarily, and would seriously question the data integrity of Cellebrite’s reports.
Marlinspike explains that the Cellebrite hacking device needs to parse all types of untrusted data on the iPhone or any other device being analyzed. He notes that upon closer examination, “very little care appears to have been taken with Cellebrite’s proprietary software security.”
Signal founder points out that industry-standard malware mitigation measures are lacking. That offers “many opportunities” for exploitation. For example, the Cellebrite system uses Windows audio / video converting software that was released in 2012. Since then, the software has been updated with more than 100 security fixes – none of which are included in Cellebrite products.
Also interesting are a few MSI installation packages in Physical Analyzer that are digitally signed by Apple. Marlinspike suggests that the packages, which implement functionality between iTunes and iOS, are extracted from the Windows installer for iTunes version 12.9.0.167. It is unlikely that Apple licensed Cellebrite to use the software, meaning its implementation could cause legal trouble in the long run.
There are additional details about Cellebrite’s device hacking products. For example, the company offers two software packages: UFED, which breaks encryption to collect deleted or hidden data, and Physical Analyzer, which detects “trace events” to collect digital evidence.
For users concerned about Cellebrite’s ability to break into iPhone devices, Marlinspike points out that the company’s products require physical access. In other words, they don’t engage in remote monitoring or data interception.
As for how Marlinspike was able to get his hands on a Cellebrite device, he says he obtained it in a “truly incredible coincidence.” One day while out for a walk, “he saw a small package fall from a truck before me.” That package apparently contained “the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy … and an insane amount of cable adapters.”
It’s worth pointing out that Marlinspike and his team have published details about the Cellebrite vulnerabilities beyond the scope of responsible disclosure. In that regard, he said his team would be willing to share details of the vulnerabilities if Cellebrite shares the exploits they use to hack iPhones.
“We are of course willing to responsibly disclose the specific vulnerabilities we know to Cellebrite if they do the same for any vulnerabilities they use in their physical extraction and other services to their respective vendors now and in the future,” Marlinspike wrote.
In a seemingly deliberately vague last paragraph, Marlinspike writes that future versions of Signal will contain files that “are never used for anything within Signal and never interact with Signal software or data.”
He added that the files “look good, and that aesthetics are important in software”. But given the ironic nature of some of the other content in the blog post, there’s a chance that the files could act as a mitigation mechanism to prevent Cellebrite unlocking tools in the future. Cellebrite recently announced support to display signal data from an unlocked device.
This isn’t the first time that Cellebrite has had a security incident. In 2017, the company’s servers were hacked, resulting in data and technical files about its products being leaked. Additionally, although Cellebrite only sells its tools to law enforcement and other government agencies, reports in 2019 indicated that Cellebrite devices were sold on eBay.