Phone scanning and data extraction company Cellebrite faces the possibility of app makers being able to hack back to the tool, after Signal revealed that it was possible to get arbitrary code through its tools.
Cellebrite’s tools are used to extract data from phones owned by the user.
“By including a specially formatted but otherwise harmless file in an app on a device that is then scanned by Cellebrite, it is possible to execute code that modifies not only the Cellebrite report that is created in that scan, but also all previous and future Cellebrite reports, all previously scanned devices and all future scanned devices in any arbitrary way (insert or remove text) , email, photos, contacts, files, or any other data), with no time stamp changes or verification findings, ”Signal CEO Moxie Marlinspike wrote.
“This could even be done at random, and would seriously question the accuracy of Cellebrite’s reporting data.”
Usually, when weaknesses of this kind are discovered, the issue is revealed to the software maker to fix, but as Cellebrite makes a living from undisclosed vulnerabilities, Marlinspike raised the stakes.
“We are, of course, ready to reveal to Cellebrite the specific responsibilities we know of if they do the same for all the vulnerabilities they use in their physical extraction and services others to their respective vendors, now and in the future, “he said.
The Signal’s CEO said Cellebrite has “lots of opportunities to exploit” and he believes they should have been more careful in creating the tool.
For example, Cellebrite is bundling FFmpeg DLLs from 2012. Since that year, FFmpeg has had nearly 230 vulnerabilities reported.
Marlinspike also highlighted that Cellebrite is bundling two installers from Apple to allow the equipment to extract data when an iOS device is used.
“It seems unlikely to us that Apple has given Cellebrite a license to redistribute and incorporate Apple DLLs into its own product, so this could pose a legal risk to Cellebrite and its users,” he said.
In a dripping video with references to the movie Hackers, Marlinspike showed exploitation in action, before rushing a saber in the direction of Cellebrite.
“In completely unrelated news, forthcoming versions of Signal will periodically fetch files for storage during app storage. These files are never used for anything inside Signal and never interact with software or Signal data, but they look nice, and aesthetics are important in software, “he said.
“We have a few different versions of files that we think are aesthetically pleasing, and they will slowly repeat through those over time. These files have no other significance.”
Marlinspike said he was extremely lucky to have found a Cellebrite toolkit laying on the ground while out for a walk.
In December, Marlinspike dropped out of Cellebrite’s claims that it could crack Signal encryption.
“Cellebrite posted something with a lot of detail, then quickly pulled it down and replaced it with something that didn’t have details,” Marlinspike wrote at the time.
“This is not because they have ‘revealed’ anything about some advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages) They pulled it to down for exactly the other reason: it makes them look bad.
“Articles about this post would have been more appropriately titled ‘Cellebrite accidentally reveals that their technical capabilities are just as bankrupt as their role in the world.'”