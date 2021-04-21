



The CEO of the secure messaging app Signal has hacked a Cellebrite phone unlock device and revealed a serious vulnerability that could be used against police investigators.

Cellebrite is a digital forensics company that creates tools and resources for unlocking devices such as the iPhone. Famous for selling hacking devices to governments and law enforcement agencies for research, even public school districts in the United States.

On Wednesday, Signal founder Moxie Marlinspike announced some vulnerabilities in hacking hardware that could be used to execute malicious code on machines used to analyze unlocked devices. Reported sex. In the real world, it’s probably a police or government investigator’s machine.

Beyond that, Marlinspike said there were “substantially unlimited” types of malicious code that could be executed using the vulnerability.

For example, by including a specially formatted but harmless file in an app on a device scanned by Cellebrite, not only the Cellebrite report produced by that scan, but all previously and future generated reports. You can execute the code that you want to change. Cellebrite reports from any method (inserting or deleting text, emails, photos, contacts, files, or other data) from all previously scanned devices and all future scanned devices, and time stamps. Unable to detect changes or checksum failures. This can also be done randomly and will seriously question the data integrity of Cellebrite’s reports.

Marlinspike explains that Cellebrite hacking devices need to analyze all types of untrusted data on the iPhone or other device being analyzed. Upon further investigation, he said, “Cellebrite’s own software security seems to have received little attention.”

The founders of Signal point out that it is missing an industry standard malware mitigation measure. It enables “many opportunities” for exploitation. For example, the Cellebrite system uses Windows audio / video conversion software released in 2012. Since then, the software has been updated with over 100 security fixes, none of which are included in Cellebrite products.

Also interesting is the pair of Physical Analyzer MSI Installer packages digitally signed by Apple. Marlinspike suggests that the package that implements the functionality between iTunes and iOS has been extracted from the Windows Installer for iTunes version 12.9.0.167. It is unlikely that Apple has licensed Cellebrite to use the software, and its deployment could pose legal issues in the future.

There are additional details about Cellebrite’s device hacking products. For example, the company offers two software packages. UFED, which breaks through encryption and collects deleted or hidden data, and Physical Analyzer, which detects “trace events” in digital evidence collection.

For users who are concerned about Cellebrite’s ability to break into iPhone devices, Marlinspike points out that its products require physical access. That is, it does not perform remote monitoring or data interception.

He says he got “a really incredible coincidence” about how Marlinspike got the Cellebrite device. As he was walking one day, he “saw a small piece of luggage falling from the truck in front of me.” The package apparently included “the latest version of Cellebrite software, a hardware dongle designed to prevent piracy, and a strange number of cable adapters.”

It is worth pointing out that Marlinspike and his team have released details about Cellebrite’s vulnerabilities outside the scope of responsible disclosure. In that note, he said that if Cellebrite shares the exploit it uses to hack the iPhone, his team will be happy to share the details of the vulnerability.

“Of course, if Cellebrite does the same for all vulnerabilities used in physical extraction and other services now and in the future, we are responsible for disclosing specific vulnerabilities to Cellebrite.” Marlinspike writes.

In the seemingly ambiguous last paragraph, Marlinspike said that future versions of Signal will have files that “will not be used for anything in Signal and will not interact with Signal software or data.” It is written that it is included.

He added that the file “looks good and aesthetics are important in software.” However, given the joking nature of some of the other content in blog posts, files could become a mitigation mechanism that interferes with Cellebrite unlocking tools in the future. Cellebrite recently announced support for displaying signal data from unlocked devices.

This isn’t the first time a security incident has occurred in Cellebrite. In 2017, the company’s servers were hacked, resulting in the leakage of product data and technical files. In addition, Cellebrite sells its tools only to law enforcement and other government agencies, but according to a 2019 report, Cellebrite devices were sold on eBay.

