Signal hacks Cellebrite device, reveals vulnerabilities and potential Apple copyright conc...

Posted:
in General Discussion edited April 27
The CEO of secure messaging app Signal has hacked a phone unlocking device made by Cellebrite, revealing critical vulnerabilities that could be used against police investigators.

Credit: Cellebrite
Credit: Cellebrite


Cellebrite is a digital forensics company that produces tools and resources to unlock devices like the iPhone. It famously sells its hacking devices to government and law enforcement agencies for investigative use, and even U.S. public school districts.

On Wednesday, Signal founder Moxie Marlinspike reported several vulnerabilities in the hacking hardware that could be used to run malicious code on a machine used to analyze an unlocked device. In the real world, that would most likely be a police or government investigator's machine.

More than that, Marlinspike said there are "virtually no limits" on the type of malicious code that could be executed using the vulnerabilities.
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it's possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite's reports into question.
Marlinspike explains that the Cellebrite hacking device needs to parse all types of untrusted data on the iPhone or other device being analyzed. He notes that, upon further investigation, "very little care seems to have been given to Cellebrite's own software security."

The Signal founder points out that industry-standard malware mitigation measures and missing. That allows "many opportunities" for exploitation. For example, the Cellebrite system uses a Windows audio/video conversion software that was released in 2012. Since then, the software has been updated with more than 100 security fixes -- none of which are included in the Cellebrite products.

Also of interest is a pair of MSI installer packages in Physical Analyzer that are digitally signed by Apple. Marlinspike suggests the packages, which implement functionality between iTunes and iOS, were extracted from the Windows installer for iTunes version 12.9.0.167. It is unlikely that Apple gave Cellebrite a license to use the software, meaning its deployment could cause legal problems down the road.

There are additional details about Cellebrite's device hacking products. For example, the company provides two software packages: UFED, which breaks through encryption to collect deleted or hidden data, and Physical Analyzer, which detects "trace events" for digital evidence collection.

For users concerned about Cellebrite's ability to break into iPhone devices, Marlinspike points out that the company's products require physical access. They don't do remote surveillance or data interception, in other words.

As far as how Marlinspike was able to get a Cellebrite device, he says he obtained it in a "truly unbelievable coincidence." When he was walking one day, he "saw a small package fall off a truck ahead of me." That package apparently contained "latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy ... and a bizarrely large number of cable adapters."

Marlinspike and his team published details about the Cellebrite vulnerabilities outside of the scope of responsible disclosure. The team would be willing to share details of the vulnerabilities -- if Cellebrite shares the exploits they use to hack iPhones.

"We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future," Marlinspike wrote.

In a seemingly intentionally vague last paragraph, Marlinspike writes that future versions of Signal will include files that "are never used for anything inside Signal and never interact with Signal software or data."

He added that the files "look nice, and aesthetics are important in software." But, given the tongue-in-cheek nature of some of the other content in the blog post, there's a chance that the files could be a mitigation mechanism to foil Cellebrite unlocking tools in the future. Cellebrite recently announced support to display Signal data from an unlocked device.

This isn't the first time Cellebrite has had a security incident. Back in 2017, the company's servers were hacked, which resulted in the leak of data and technical files about its products. Additionally, although Cellebrite only sells its tools to law enforcement and other government agencies, reports in 2019 indicated that Cellebrite devices were being sold on eBay.
«1

Comments

  • Reply 1 of 23
    22july201322july2013 Posts: 2,314member
    As far as how Marlinspike was able to get a Cellebrite device, he says he obtained it in a "truly unbelievable coincidence." When he was walking one day, he "saw a small package fall off a truck ahead of me.
    How lucky. And it was the only thing that fell off of the truck.
    applguymagman1979watto_cobra
  • Reply 2 of 23
    BeatsBeats Posts: 2,291member
    If true this is fate. But wouldn’t he be charged with stealing?

    Either way I hope it’s true as it would help Apple security.
    kitatitmagman1979watto_cobra
  • Reply 3 of 23
    In the headline copyright was mentioned. I did not see anything about it in the article.

    Beatswatto_cobra
  • Reply 4 of 23
    In the headline copyright was mentioned. I did not see anything about it in the article.

  • Reply 5 of 23
    DAalsethDAalseth Posts: 1,553member
    johnkatos said:
    In the headline copyright was mentioned. I did not see anything about it in the article.

    From the article
    Also of interest is a pair of MSI installer packages in Physical Analyzer that are digitally signed by Apple. Marlinspike suggests the packages, which implement functionality between iTunes and iOS, were extracted from the Windows installer for iTunes version 12.9.0.167. It is unlikely that Apple gave Cellebrite a license to use the software, meaning its deployment could cause legal problems down the road.


    Beatsrob53mwhitefahlmanwatto_cobra
  • Reply 6 of 23
    DAalsethDAalseth Posts: 1,553member
    In the real world, that would most likely be a police or government investigator's machine.
    The mere fact that these people got one tells me that it ISN’T only used by governments. If they could get one I’m sure private spying groups, professional hackers, and higher end mafiosi have gotten their hands on them. If they are sending them through standard shipping channels it isn’t that hard for the right people to intercept the package. 

    agilealtitudeOferwatto_cobra
  • Reply 7 of 23
    It fell off a truck, right in front of the CEO of a famous secure messaging app! How about that. 
    DAalsethOferboxcatcherapplguypscooter63fahlmanwatto_cobra
  • Reply 8 of 23
    StrangeDaysStrangeDays Posts: 11,280member
    Big if true. If it’s possible to compromise police agencies using secret, “black box” software introduced into the evidence chain of custody, it taints that evidence and effectively breaks the chain. This is big news for any defendant that has charges stemming from a Cellebrite scan.

    These sorts of forensics tools should not be secret. Imagine if DNA labs wouldn’t tell defendants what sort of tests they conducted or detailed the chain of custody for samples. 
    edited April 21 h4y3swatto_cobra
  • Reply 9 of 23
    prokipprokip Posts: 169member
    Off the back of the truck...

    There is a criminal offense called "Larceny by Finding".  It is a common law offense with significant depending on how heinous the conduct of the finder and how much you upset the judge hearing the matter.  Marlinspike would have to  prove he took reasonable steps to locate the owner of the property, which he unfortunately admits he did not in his blog.



    watto_cobra
  • Reply 10 of 23
    prokipprokip Posts: 169member
     significant penalties
  • Reply 11 of 23
    applguyapplguy Posts: 134member
    Exactly what any normal person would do when a package falls from a truck in front of you.... Open it to see what’s in it. The shipping label must have been damaged rendering it unreadable. 
    photography guywatto_cobra
  • Reply 12 of 23
    As far as how Marlinspike was able to get a Cellebrite device, he says he obtained it in a "truly unbelievable coincidence." When he was walking one day, he "saw a small package fall off a truck ahead of me.
    How lucky. And it was the only thing that fell off of the truck.
    prokip said:
    Off the back of the truck...

    There is a criminal offense called "Larceny by Finding".  It is a common law offense with significant depending on how heinous the conduct of the finder and how much you upset the judge hearing the matter.  Marlinspike would have to  prove he took reasonable steps to locate the owner of the property, which he unfortunately admits he did not in his blog.



    "Fell off the back of a truck" is an idiom that means the item in question was acquired by less than legal means; most often implying the item was stolen at some point... but I'm not going to implicate myself.   Marlinspike wasn't being literal.  He was being cheeky.  


    edited April 21 randominternetpersonhcrefugeepscooter63longpath
  • Reply 13 of 23
    mac_dogmac_dog Posts: 886member
    mr lizard said:
    It fell off a truck, right in front of the CEO of a famous secure messaging app! How about that. 
    Indeed. Stranger things have happened—like the past 4 years...
    MplsPwatto_cobra
  • Reply 14 of 23
    dewmedewme Posts: 3,608member
    Y'all know that these organizations are all playing in the same shady, sleazy, and cutthroat swamp? Who are the good guys and who are the bad guys is purely subjective and based on the outcome you happen to desire. 
    CloudTalkinh4y3spscooter63watto_cobra
  • Reply 15 of 23
    rob53rob53 Posts: 2,515member
    prokip said:
    Off the back of the truck...

    There is a criminal offense called "Larceny by Finding".  It is a common law offense with significant depending on how heinous the conduct of the finder and how much you upset the judge hearing the matter.  Marlinspike would have to  prove he took reasonable steps to locate the owner of the property, which he unfortunately admits he did not in his blog.

    There's also laws against hacking locked iPhones but our government doesn't appear to care about that so I wouldn't worry about any larceny by finding. I'd like to see a prosecutor try and get a jury to challenge anything having to do with what I see as a criminal, foreign country company. 
    randominternetpersonbeowulfschmidtwatto_cobra
  • Reply 16 of 23
    GabyGaby Posts: 168member
    What an absolute hero. Truly I cannot stop smiling. I hope the device is somewhere secure before the CIA, NSA and Christ knows what other agencies come banging on the door citing......wait for it..... “national security!”
    randominternetpersonh4y3slongpathwatto_cobra
  • Reply 17 of 23
    davidwdavidw Posts: 1,210member
    dewme said:
    Y'all know that these organizations are all playing in the same shady, sleazy, and cutthroat swamp? Who are the good guys and who are the bad guys is purely subjective and based on the outcome you happen to desire. 
    Star Wars fan?

    From "The Last Jedi"

    when escaping from the casino planet on a ship flown by DJ  (the character played by Benicio Del Toro)  and Finn was questioning DJ on why he was ransacking his own ship, only to find out that DJ and BB8 stoled it. 

              Finn: At least you're stealing from the bad guys and helping the good.

    DJ: Good guys, bad guys, made-up words. Let's see who formerly owned this gorgeous hunk-uh. Ah, this guy was an arms dealer. Made his bank selling weapons to the bad guys. (hologram shows a tie fighter) Oh... And the good. (hologram shows a x-wing) Finn, let me learn you something big. It's all a machine, partner. Live free, don't join.

    and after selling out Finn and Rose and cutting a deal with the First Order, (after their capture), by revealing that the Resistance was fleeing to a planet on transports, in exchange for his freedom, payment and a ship.

              Finn: You murdering bastard!!

              DJ: Oooh... t-t-take it easy, Big F. They blow you up today, you blow them up tomorrow. Nothing personal; It’s just business.

              Finn: You're wrong.

              DJ: Maybe.

    dewme
  • Reply 18 of 23
    So, the company whose one job is to hack devices.... *puts on shades* GOT HACKED.

    YEEEEEAAAAAHHHH!!!
    longpathwatto_cobra
  • Reply 19 of 23
    I love this story.  Who's hacking the hackers?  Moxie Marlinspike apparently.  Even the dude's name is delicious.
    h4y3spscooter63longpathStrangeDayswatto_cobra
  • Reply 20 of 23
    h4y3sh4y3s Posts: 43member
    Big if true. If it’s possible to compromise police agencies using secret, “black box” software introduced into the evidence chain of custody, it taints that evidence and effectively breaks the chain. This is big news for any defendant that has charges stemming from a Cellebrite scan.

    These sorts of forensics tools should not be secret. Imagine if DNA labs wouldn’t tell defendants what sort of tests they conducted or detailed the chain of custody for samples. 
    This is the big takeaway. And with Moxie including a silent “bomb” in his app just for this purpose (or so it would seem), very nice move!!
    longpathrandominternetpersonStrangeDaysbeowulfschmidtwatto_cobra
Sign In or Register to comment.