Moxie Marlinspike, CEO of Signal, said Wednesday that vulnerabilities in Cellebrite’s surveillance software can be exploited by embedding specially formatted files in any app installed on a device that is then scanned by the software.
Israeli company Cellebrite is known for making software to tap data from phones seized for authoritarian regimes around the world, which it uses primarily to spy on people, including activists and journalists.
In his findings, Marlinspike noted that Cellebrite’s own software did not meet industry standards and that arbitrary code could be executed on a Cellebrite machine with a specially formatted file.
Given the number of features available, we have determined that it is possible to execute arbitrary code on the Cellebrite machine. There is virtually no limit to the code that can be executed, Moxie Marlinspike wrote.
He explained that the UFED and the Cellebrite physical analyzer can be used by inserting a specially formatted file into an application installed on the device, which is then scanned by the Cellebrite software. When a file is scanned, it executes a code that can alter Cellebrite’s reports on devices scanned in the past or to be scanned in the future.
By exploiting this vulnerability, text, emails, photos, contacts, files and other data can be inserted or deleted without a recognized timestamp or checksum.
Since almost all of Cellebrite’s code is designed to analyze untrusted input data that can be unexpectedly formatted to exploit memory corruption or other vulnerabilities in the analysis software, one would expect Cellebrite to be extremely careful. In reviewing both UFED and Physical Analyzer, we were surprised that very little attention seemed to be paid to the security of Cellebrite’s software. There are no industry standards for building protection, and there are many ways to operate them, he said.
Signal also created a video showing what happens when UFED Cellebrite scans a formatted file to execute arbitrary code on a Windows device.
Any application that contains such a file and is otherwise harmless could exploit Cellebrite’s vulnerabilities unless the company patches it or updates its software so that applications considered threats are not scanned.
An example of a security hole in Cellebrite software are the DLLs bundled with FFmpeg, which have missed more than 100 security updates since 2012.
By an incredible coincidence, the CEO found Cellbrite software and hardware in the package. This sounds incredible, but how he came into possession of the software and hardware is not an important part of the story.
Marlinspike said he found the bag in the street when it fell off the truck | by the signal.
Marlinspike also found potential copyright infringement because the Cellebrite Physical Analyzer software contains two MSI installation packages digitally signed by Apple, which could constitute copyright infringement unless Apple obtains permission to bundle the software.
We are certainly prepared to responsibly report some of the vulnerabilities of Cellebrite that we are aware of, if they do the same for vulnerabilities they use in physical extraction and other services to their respective vendors, now and in the future.
Last December, Cellebrite published an article explaining how to disable Signal on an Android device, but Signal refuted those claims and now appears to be taking the heat off the Sun Corporation subsidiary.
A few months ago, Cellebrite announced that it would begin analyzing Signal data in its mining tools. They don’t seem to be doing it very carefully.
Exploitation of vulnerabilities in Cellebrite software, from an application perspective: https://t.co/9ar6ypnPe2
– Moxie Marlinspike (@moxie) April 21, 2023
In the news: Instagram offers a filter for offensive DM requests and an improved blocking tool.
Leads the editorial team of . When he’s not writing, he likes to cycle or drink beer, just like his Manchester United rivals.
Contact Prayank via email: [email protected]
cellebrite signal,signal messaging app law enforcement,signal app law enforcement,signal decrypted,has signal been cracked,signal is not secure,universal forensic extraction devices,signal app criminals