In an epic hack, the signal developer turns the tables on the forensics company Cellebrite
Israeli digital forensics company Cellebrite has been helping governments and police officers around the world break into seized cell phones for years, mainly by exploiting vulnerabilities that have been overlooked by device manufacturers. Now Moxie Marlinspike – developer of the signal messaging app – Cellebrite has turned the tables.
On Wednesday, Marlinspike posted a post reporting vulnerabilities in Cellebrite software that allowed it to run malicious code on the Windows computer that was analyzing devices. The researcher and software developer took advantage of the vulnerabilities by loading specially formatted files that can be embedded in any app installed on the device.
Practically no limits
“There are virtually no limits to the code that can be executed,” wrote Marlinspike.
For example, if you include a specially formatted but otherwise harmless file in an app on a device that is then scanned by Cellebrite, you can run code that changes not only the Cellebrite report produced in that scan, but everything previously and in Future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any way (insert or remove text, email, photos, contacts, files or other data) with no noticeable timestamp changes or checksum errors. This could even be done randomly and would seriously question the data integrity of Cellebrite’s reports.
Cellebrite offers two software packages: The UFED breaks locks and encryption protection to collect deleted or hidden data, and a separate physical analyzer reveals digital evidence (“trace events”).
In order to do their job, both parts of the Cellebrite software must analyze all kinds of untrustworthy data that is stored on the device being analyzed. Typically, software that is so promiscuous undergoes all kinds of security hardening to identify and fix memory corruption or parsing vulnerabilities that could allow hackers to execute malicious code.
“However, when we looked at both UFED and Physical Analyzer, we were surprised to find that Cellebrite’s proprietary software security seemed to have received very little attention,” Marlinspike wrote. “There are no industry defenses to mitigate exploits and there are many opportunities for exploitation.”
An example of this lack of hardening was the inclusion of Windows DLL files for the audio / video conversion software known as FFmpeg. The software was created in 2012 and has not been updated since. Marlinspike said FFmpeg received more than 100 security updates in the past nine years. None of these fixes are in the FFmpeg software included with the Cellebrite products.
Marlinspike has included a video that shows UFED parsing a file that it has formatted to run arbitrary code on the Windows device. The payload uses the MessageBox Windows API to display a harmless message. However, Marlinspike said, “It is possible to run arbitrary code, and a real exploit payload would likely attempt to undetectably alter previous reports and compromise the integrity of future reports (possibly accidentally!) Or filter data from the Cellebrite machine. “
Marlinspike said it also found two MSI installer packages that are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes. Marlinspike asked if the recording was in violation of Apple’s copyrights. Apple didn’t immediately comment when asked about it.
In an email, a Cellebrite representative wrote: “Cellebrite is committed to protecting the integrity of our customers’ data and we are continually reviewing and updating our software to provide our customers with the best digital intelligence solutions available.” The representative didn’t say whether the company’s engineers were aware of Marlinspike’s detailed vulnerabilities or whether the company had permission to bundle Apple software.
Marlinspike said he received the Cellebrite equipment in “a really incredible coincidence” when he went and “saw a small package fall off a truck in front of me”. The incident seems really unbelievable. Marlinspike declined to provide additional details on how he came into possession of the Cellebrite tools.
The truck-of-a-truck line wasn’t the only ironic statement in the mail. Marlinspike also wrote:
In completely independent messages, upcoming versions of Signal will periodically fetch files for storage in the app storage. These files are never used for anything in Signal, and never interact with Signal software or data, but they look good and aesthetics are important in software. Files are only returned for accounts that have been actively installed for a while, and likely only in small percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing and that we will slowly cycle through over time. These files have no other meaning.
The vulnerabilities could provide fuel for defenders to question the integrity of forensic reports produced using Cellebrite software. Cellebrite representatives did not respond to an email asking if they were aware of the vulnerabilities or had any plans to fix them.
“We are of course ready to responsibly disclose the specific vulnerabilities known to us to Cellebrite if they do the same now and in the future for all the vulnerabilities they use in their physical extraction and other services,” wrote Marlinspike.
The post has been updated to add the fourth and penultimate paragraph and add a comment from Cellebrite.