For years, Israeli digital forensics company Cellebrite has helped governments and police around the world break into seized mobile phones, primarily by exploiting vulnerabilities that went unnoticed by device makers. Now, Moxie Marlinspike – creator of the Signal messaging app – has turned the tables on Cellebrite.
On Wednesday, Marlinspike published a post reporting vulnerabilities in Cellebrite software that allowed it to execute malicious code on a Windows computer used to analyze devices. The researcher and software engineer took advantage of the vulnerabilities by uploading specially formatted files that can be incorporated into any app installed on the device.
Almost no limits
“There are virtually no limits on the code that can be implemented,” Marlinspike wrote.
For example, by including a specially formatted but otherwise harmless file in an app on a device that is then scanned by Cellebrite, it is possible to implement code that modifies not only the Cellebrite report that created in that scan, but also all previous and future work produced. Cellebrite reports all previously scanned devices and all future scanned devices in any arbitrary way (insert or remove text, email, photos, links, files, or any other data), without any time stamp changes or verification findings. This could even be done at random, and would seriously question the accuracy of Cellebrite’s data reporting.
Cellebrite provides two software packages: UFED breaks through locks and encryption protections to collect erased or hidden data, and a separate Physical Analyst unlocks digital evidence (“incident tracking”).
To do their job, the two pieces of Cellebrite software must apportion all types of untrusted data stored on the device being analyzed. Typically, this promising software goes through all kinds of security hardening to detect and repair any memory corruption or vulnerabilities that might allow hackers to execute malicious code.
“However, looking at UFED and Physical Analyzer, we were surprised to find that very little care seems to have been given to the security of Cellebrite’s own software,” wrote Marlinspike. “Industry standard exploitation mitigation defenses are missing, and many opportunities for exploitation are present.”
Integrity of compromise
One example of this lack of hardening was the inclusion of Windows DLL files for audio / video conversion software called FFmpeg. The software was built in 2012 and has not been updated since. Marlinspike said FFmpeg has received more than 100 security updates in the nine years in the meantime. None of those solutions are included in the FFmpeg software bundled into the Cellebrite products.
Marlinspike included a video that shows UFED as it parses a file that formatted to execute arbitrary code on a Windows device. The payload uses the Windows MessageBox API to display a harmless message, but Marlinspike said “any code can be executed, and a real exploitation payload would likely try to change previous reports as undetectable, jeopardizing the integrity of reports the future (maybe random!), or over-filtering data from the Cellebrite engine. “
Marlinspike said it also found two MSI installer packages that have been digitally signed by Apple and appear to have been removed from the Windows installer for iTunes. Marlinspike questioned whether the inclusion is a violation of Apple’s copyrights. Apple did not immediately comment when asked about this.
In an email, a Cellebrite representative wrote: “Cellebrite is committed to protecting the integrity of our customers’ data, and we are continually examining and updating our software to equip our customers with the best digital intelligence solutions available.” The representative did not say whether company engineers were aware of the vulnerabilities Marlinspike identified or whether the company had permission to bundle Apple software.
Marlinspike said he got the Cellebrite gear in a “truly unbelievable coincidence” as he walked and “saw a small package fall off a truck in front of me.” The incident seems truly unbelievable. Marlinspike declined to provide additional details about exactly how it acquired the Cellebrite equipment.
The truck drop line was not the only tongue-in-cheek statement in the mail. Marlinspike also wrote:
In completely unrelated news, upcoming versions of Signal will periodically fetch files for storage when app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active settings for some time, and probably only in low percentages based on sharding of phone numbers. We have a few different versions of files that we think are aesthetically pleasing, and will slowly repeat through those over time. These files have no other significance.
The vulnerabilities could provide fodder for defense attorneys to challenge the accuracy of forensic reports generated using Cellebrite software. Cellebrite representatives did not respond to an email asking if they were aware of the weaknesses or had plans to fix it.
“We are of course ready to reveal the specific vulnerabilities we know to Cellebrite responsible if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future, ”wrote Marlinspike.
Updated post to add fourth and third paragraphs to last and to add a comment from Cellebrite.