After cellphone hacking company Cellebrite said it had figured out a way to access the secure messaging app Signal, Signal said in a blog post that it had turned the tables. App creator Moxie Marlinspike claimed his team had secured a Cellebrite hacking kit and discovered several weaknesses. He then suggested that Signal update the app to block any law enforcement efforts to hack it.
Cellebrite sells a series of “data analytics devices” called UFED that allow law enforcement to break into iOS or Android phones and remove message logs, call records, photos and other data. The series of hacking tools used by the FBI were allegedly used to unlock iPhones in the past.
Marlinspike managed to get Cellebrite UFED, along with the software and hardware dongle, joking that he fell off a truck while out for a walk. (Older versions of the devices have appeared on eBay and other websites in the past.)
He noted that he uses some old and old DLLs, including the 2012 version of FFmpeg and MSI Windows installer packages for Apple’s iTunes program. “However, when looking at UFED and Physical Analyst, we were surprised to find that little care seems to have been given to Cellebrite’s himself software security, “he wrote.
Signal’s team found that by including “specially formatted but otherwise harmless files in any app on a device” scanned by Cellebrite, it could run code that modifies the UFED report. For example, it could potentially insert or remove text, email, photos, links and other data without leaving any trace of the intrusion.
In a tweet (above), Signal showed the hack in action, with the UFED parsing a formatted file to run code and display a harmless message. However, the company said that “a real exploitation payload would likely seek to unambiguously alter previous reports, jeopardize the integrity of future reports, or over-filter data from the Cellebrite engine.” Marlinspike then suggested it could install such code in Signal to foil future Cellebrite extraction efforts by law enforcement.
Signal released details of Cellebrite’s perceived weaknesses without giving the company any warning, but said it would change tack if Cellebrite returned. “We are, of course, ready to reveal to Cellebrite the specific responsibilities we know of if they do the same for all the vulnerabilities they use in their physical extraction and services others to their respective vendors, now and in the future. ”
Cellebrite said Ars Technica that it is “committed to protecting the integrity of our customers’ data, and we continually audit and update our software to equip our customers with the best available digital intelligence solutions.” Signal’s allegations should be treated with some skepticism without seeing more details around the hack, along with confirmation from other security experts.
Update 4/22/2021 7:23 AM ET: A reference to Cellebrite’s tools used to unlock a murdered San Bernardino iPhone has been deleted, as it is another company that allegedly did the job.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn a affiliate commission.