The CEO of secure messaging app Signal has hacked a phone unlocking device made by Cellebrite, revealing critical vulnerabilities that could be used against police investigators.
Cellebrite is a digital forensics company that produces tools and resources to unlock devices like the iPhone. It famously sells its hacking devices to government and law enforcement agencies for investigative use, and even U.S. public school districts.
On Wednesday, Signal founder Moxie Marlinspike reported several vulnerabilities in the hacking hardware that could be used to run malicious code on a machine used to analyze an unlocked device. In the real world, that would most likely be a police or government investigator’s machine.
More than that, Marlinspike said there are “virtually no limits” on the type of malicious code that could be executed using the vulnerabilities.
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Marlinspike explains that the Cellebrite hacking device needs to parse all types of untrusted data on the iPhone or other device being analyzed. He notes that, upon further investigation, “very little care seems to have been given to Cellebrite’s own software security.”
The Signal founder points out that industry-standard malware mitigation measures and missing. That allows “many opportunities” for exploitation. For example, the Cellebrite system uses a Windows audio/video conversion software that was released in 2012. Since then, the software has been updated with more than 100 security fixes — none of which are included in the Cellebrite products.
Also of interest is a pair of MSI installer packages in Physical Analyzer that are digitally signed by Apple. Marlinspike suggests the packages, which implement functionality between iTunes and iOS, were extracted from the Windows installer for iTunes version 126.96.36.199. It is unlikely that Apple gave Cellebrite a license to use the software, meaning its deployment could cause legal problems down the road.
There are additional details about Cellebrite’s device hacking products. For example, the company provides two software packages: UFED, which breaks through encryption to collect deleted or hidden data, and Physical Analyzer, which detects “trace events” for digital evidence collection.
For users concerned about Cellebrite’s ability to break into iPhone devices, Marlinspike points out that the company’s products require physical access. They don’t do remote surveillance or data interception, in other words.
As far as how Marlinspike was able to get a Cellebrite device, he says he obtained it in a “truly unbelievable coincidence.” When he was walking one day, he “saw a small package fall off a truck ahead of me.” That package apparently contained “latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy … and a bizarrely large number of cable adapters.”
It’s worth pointing out that Marlinspike and his team published details about the Cellebrite vulnerabilities outside of the scope of responsible disclosure. On that note, he said his team would be willing to share details of the vulnerabilities if Cellebrite shares the exploits they use to hack iPhones.
“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” Marlinspike wrote.
In a seemingly intentionally vague last paragraph, Marlinspike writes that future versions of Signal will include files that “are never used for anything inside Signal and never interact with Signal software or data.”
He added that the files “look nice, and aesthetics are important in software.” But, given the tongue-in-cheek nature of some of the other content in the blog post, there’s a chance that the files could be a mitigation mechanism to foil Cellebrite unlocking tools in the future. Cellebrite recently announced support to display Signal data from an unlocked device.
This isn’t the first time Cellebrite has had a security incident. Back in 2017, the company’s servers were hacked, which resulted in the leak of data and technical files about its products. Additionally, although Cellebrite only sells its tools to law enforcement and other government agencies, reports in 2019 indicated that Cellebrite devices were being sold on eBay.