Signal Exposes Major Cellebrite Vulnerabilities
The Popular Encrypted Chat App CEO Revealed How A Device Used to Decrypt Messages Can Be Hacked and Tampered With.
Signal CEO Moxie Marlinspike claims to have hacked devices made by phone unlocking company Cellebrite, which has famously worked with law enforcement representatives to evade encryption such as Signal’s.
In a blog post from April 21st, Marlinspike not only published details of new exploits for Cellebrite devices but seemed to suggest that Signal’s code could be altered to massively hack Cellebrite devices.
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
According to Marlinspike, when this type of vulnerabilities are found, the issue is disclosed to the maker of the software so it can be fixed, but since Cellebrite makes a living from undisclosed vulnerabilities, he decided to take matters into his own hands.
He added that in Cellebrite’s case, “industry-standard exploit mitigation defenses are missing”, making room for many exploitation opportunities. One example is that their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since. Marlinspike says that there have been over a hundred security updates in that time, but none has been applied.
Image Source: Signal
The Signal CEO claims that while he was on a walk he “happened” to find a Cellebrite phone unlocking device:
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
Cellebrite devices are used by police officers to unlock iPhones and gather evidence (photos, videos, messages) from encrypted devices.
Marlinspike began analyzing the device and found several vulnerabilities that could allow an attacker to include an “otherwise innocuous file in an app”. This means that when it gets scanned by a Cellebrite device he can exploit it and tamper with the device and the data it can access.
What’s more, the device contained packages signed by Apple and most likely extracted from the Windows installer for iTunes version 12.9.0.167, which could be a copyright violation.
Image Source: Signal
It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.
For the time being, Cellebrite offered no response to the accusations.