In a turn of events, on Wednesday, Signal’s CEO, Moxie Marlinspike, reported vulnerabilities in Cellebrite’s surveillance software that could be exploited by embedding specially formatted files into any app installed on the device that will be subsequently scanned using the software.
Israel-based Cellebrite is a ‘digital intelligence’ company known to manufacture data scraping software from confiscated phones for authoritarian regimes worldwide, who primarily use this to spy on people, including activists and journalists.
In his findings, Marlinspike revealed that Cellebrite’s own software security wasn’t up to industry standards, and it’s possible to execute arbitrary code on Cellebrite’s machine by using a specially formatted file.
“Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine. There are virtually no limits on the code that can be executed,” Moxie Marlinspike wrote.
He explained that Cellebrite’s UFED and Physical Analyzer could be exploited by embedding a specially formatted file in an app installed on the device that Cellebrite’s software will subsequently scan. When the file is scanned, it executes code that can modify Cellebrite reports from devices scanned in the past or those that will be scanned in the future.
Exploiting this vulnerability allows inserting or removing text, email, photos, contacts, files and any other data sans detectable timestamps or checksum failures.
“Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defences are missing, and many opportunities for exploitation are present,” he explained.
Signal also made a video showing what happens when Cellebrite’s UFED parses a file formatted to execute arbitrary code on a Windows device.
Any app containing such a file, which is otherwise innocuous, can exploit Cellebrite’s vulnerabilities unless the company repairs them or updates their software not to scan apps perceived as a threat.
An example of the security vulnerability in Cellebrite’s software emerged from the bundled FFmpeg DLLs that have missed over 100 security updates since 2012.
The CEO found Cellbrite’s software and hardware in a bag by an “unbelievable coincidence”. While it does seem unbelievable, how he got hold of the software and hardware isn’t the important part of the story.
Marlinspike also found a potential copyright infringement as Cellebrite’s Physical Analyzer contains two MSI installer packages digitally signed by Apple, which might violate copyrights unless Apple permitted to bundle the software.
“We are, of course, willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” Marlinspike added.
Candid.Technology reached out to Cellebrite, and in an emailed response, a company representative said, “We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound. Cellebrite understands that research is the cornerstone of ensuring this validation. We will continue to integrate these standards in our products, software and Cellebrite team.”
The response didn’t include any direct reference to Marlinspike’s findings and whether the company is aware of the vulnerabilities or working on fixing them.
Apple hasn’t provided a comment yet.
Last year in December, Cellebrite had posted an article documenting how they could parse Signal on an Android device; however, Signal refuted those claims and now seems to have turned the tables on Sun Corporation’s subsidiary.
In the News: Instagram brings abusive DM request filter and improved blocking tool