The the creator of messaging app Signal, has written a long blogpost calling out various vulnerabilities in Cellebrite’s devices.
A new report from Vice reports that the founder of security-focused messenger Signal, Moxie Marlinspike, revealed today that he found and exploited vulnerabilities in software from Cellebrite, a company that specializes in digital forensics tools that have been used by authorities around the world to extract data from phones.
According to Marlinspike’s analysis of the company’s tech, its software is itself full of security vulnerabilities, explaining that he obtained a Cellebrite-branded package containing dongles, its latest software, and cables after he saw it “fall off a truck ahead of me.”
Analyzing the software, he found that it was possible to hack Cellebrite’s software by leaving specially designed lines of code inside apps on a phone that’s being targeted, like booby traps.
“Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse ‘untrusted’ data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and disply is ultimately generated and controlled by the apps on the device, not a ‘trusted’ source, so Cellebrite can’t make any assumptions about the ‘correctness’ of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.”
So he placed an innocuous-looking though specially-formatted file on the device that Cellebrite’s software would eventually scan. After that, the attackers could remotely execute any arbitrary code that could modify the unlocker device’s report. Additionalle, the code can modify past and future reports to make authorities question the authenticity of the device.
To demonstrate the possibilities of the hack, the Signal team used the MessageBox Windows API to display the message that read: MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!
At the end, Marlinspike notes that Cellebrite appears to be using Apple iTunes DLLs, which is very likely a breach of copyright. The blog post is definitely worth the read