Israeli digital intelligence firm Cellebrite sells software designed to unlock phones and extract their data. As result, are products a favorite of US law enforcement and police use them often to collect evidence from seized devices. In the past, the company has been criticized for its willingness to sell to almost any government, including repressive regimes around the world. Despite its mission to compromise phone security everywhere, Cellebrite seems to have little interest in securing its own software – if you believe the CEO of the encrypted chat app Signal.
In a blog post Published on Wednesday, Moxie Marlinspike claimed that Cellebrite’s software has hideous security that can be easily manipulated in some pretty amazing ways.
“We were surprised to find that very little care appears to have been taken with Cellebrite’s proprietary software security. Defense mechanisms against industry-standard exploits are lacking, and there are many opportunities for exploitation, ”writes Marlinspike. “Until Cellebrite is able to fix all vulnerabilities in its software accurately and with extreme confidence, the only remedy a Cellebrite user has is to not scan devices.”
Among the many wild claims made in the blog, Marlinspike says that due to security flaws, someone could actually rewrite any data collected by Cellebrite’s tools. Hypothetically, a uniquely configured file could be shuffled into any app on a particular device, leaving all the data that is or will be collected by the Cellebrite software.
Such a file can “change data in any way (insert or delete text, email, photos, contacts, files, or other data), without detectable timestamp changes or checksum errors,” the blog states. It goes on:
“Given the number of opportunities present, we found that it is possible to run arbitrary code on a Cellebrite machine simply by inserting a specially formatted but otherwise harmless file into an app on a device that is then connected to Cellebrite and stored. scanned. There are virtually no limits to the code that can be executed. “
G / O Media can receive a commission
The blog even features a video split with scenes from the movie Hackers, which shows how easily Cellebrite’s software can be hijacked:
Plus, the blog makes another pretty bold claim: code that appears to be Apple’s intellectual property appears in Cellebrite’s software – something Marlinspike says “could pose a legal risk to Cellebrite and its users.” In other words, Cellebrite may be selling code that belongs to its biggest adversary.
If all of these revelations are true, it could have some pretty big ramifications for Cellebrite. If we can assume that it is really that easy for someone to break into the company’s software and drastically change the data that the police collect, how confident can the police be that the evidence they are collecting is really correct? ? What would be the legal ramifications for the things that depended on Cellebrite’s software, if security were really that paltry? Anyone who has been involved in a case using this software should probably call their attorney now.
The fact that Marlinspike has publicly raised these security concerns – and has done so without prior notice to Cellebrite, as is common in the industry – can certainly be seen as a swipe, if not an outright slap in the face. It’s hard not to read all of this as some sort of answer to Cellebrite’s recent claims that the can crack Signal’s encryption– Certainly a claim that stuck in Marlinspike’s crawl. To top it all off, Signal’s CEO is ending the blog by making it really sound like Signal plans to spam Cellebrite with some sort of malware-adjacent files in the future:
In totally unrelated news, upcoming versions of Signal will periodically fetch files to put in app storage. These files are never used for anything within Signal and do not interact with Signal software or data, but they look good, and aesthetics are important in software … We have a few different versions of files that we think are are aesthetically pleasing and will repeat through that slowly over time. There is no other meaning for these files.
Shots were indeed fired. We’ve reached out to Cellebrite for comment and will update this story if we hear from them.
UPDATE, 6:50 PM, Wednesday April 21: In response to a request for comment, a Cellebrite spokesperson sent us the following statement:
Cellebrite empowers customers to protect and save lives, accelerate justice and preserve privacy in legally sanctioned investigations. We have a strict licensing policy that governs how customers may use and do not sell our technology to countries that are sanctioned by the US, Israel, or the wider international community. Cellebrite is committed to protecting the integrity of our customers’ data, and we constantly monitor and update our software to provide our customers with the best digital intelligence solutions available.