Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns
from the distinct-lack-of-'what-if-this-feel-into-the-wrong-hands'-thinking-by-Ce dept
A pretty hilarious turn of events has led to Cellebrite's phone hacking tech being hacked by Signal's Moxie Marlinspike, revealing the tech law enforcement uses to pull data from seized phones is host to major security flaws.
According to Marlinspike, the Cellebrite came into his possession thanks to some careless package handling.
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
This must be what actually happened. I mean, there's a photo of a Cellebrite lying on the street. That should end any senseless law enforcement speculation about this device's origin story.
The fun starts immediately, with Marlinspike finding all sorts of things wrong with Cellebrite's own device security. This would seem to be a crucial aspect considering Cellebrite performs raw extractions of unvetted data from seized phones, which could result in the forced delivery of malware residing on the target device. But that doesn't appear to concern Cellebrite, which seems to feel its products will remain unmolested because they're only sold to government agencies.
Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.
Just one example of this carelessness is unpatched DLLs residing in the Cellebrite system software. One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.
This means it wouldn't be much of a hassle to target Cellebrite devices with code that could corrupt not only the current data extraction but also the results of every previous extraction performed by that device.
[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
That's a major problem because phone extractions are performed to secure evidence to use in criminal cases. If law enforcement agencies can't trust the data they've extracted or rely on the reports generated by Cellebrite to perform searches, they're going to find their evidence tossed or impossible to submit in the first place.
Further inspection of Cellebrite's software also shows the company has ported over chunks of Apple's proprietary code intact and is using it to assist in iPhone extractions. Presumably, Cellebrite hasn't obtained a license from Apple to use this code in its devices (and redistribute the code with every device sold), so perhaps we'll be hearing something from Apple's lawyers in the near future.
This table-turning was likely provoked by Cellebrite's incredibly questionable claim it had "cracked" Signal's encryption. Instead, as more information came out -- including its use in criminal cases -- it became clear Cellebrite did nothing more than anyone could do with an unlocked phone: open up the Signal app and obtain the content of those messages.
Fortunately for everyone not currently working for Cellebrite, a delivery incident occurred and a phone-hacking device was impacted. Signal isn't worried that Cellebrite can break its encryption. In fact, it doesn't appear to be worried at all. This examination of Cellebrite hacking tools will only result in a small cosmetic refresh for Signal.
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. [...] We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
Maybe this will force Cellebrite to care a bit more deeply about its security and the security of its customers. Or maybe it will brute force its way past this, assuming its customers still have that "our word against yours" thing that tends to work pretty well in court. But it's not the only player in the phone-cracking field. So it might want to step its security game up a bit. Or at least stop picking fights with encrypted services.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, moxie marlinspike, signal, vulnerabilities
Companies: cellebrite
Reader Comments
Subscribe: RSS
View by: Time | Thread
When will the sexting images between Micky and Minnie show up in court?
[ link to this | view in chronology ]
Re:
As soon as we see the divorce trial due to Minnie's adulterous affair with Goofy.
[ link to this | view in chronology ]
Re: Re:
I never said Minnie was crazy I said she was F*&@ing Goofy
[ link to this | view in chronology ]
Who is going to tell Moxie about XRY (MSAB), Oxygen Forensics, Elcomsoft, X-Ways, EnCase (OpenText), FTK (Exterro), Belkasoft, Nuix, MobilEdit (Compelson), Axiom (Magnet Forensics) and all the other forensics software vendors.
[ link to this | view in chronology ]
Re:
Moxie, as noted in the article, seems to have done this in response to Cellebrite public claim that it broke Signal's encryption. This was retaliation for Cellebrite's public lies, not a principled stance on cell phone encryption crackers or forensics software generally.
[ link to this | view in chronology ]
Never underestimate the motivational power of spite.
[ link to this | view in chronology ]
Re:
True, "Never underestimate the power of the dark side".
[ link to this | view in chronology ]
Re: Re:
Cellebrite's claim wasn't too dissimilar to those already made by Oxygen, Elcomsoft or Belkasoft. Cellebrite just showed their working.
[ link to this | view in chronology ]
Re: Re: Re:
Signal's encryption was not broken. Cellebrite claimed it broke the encryption.
Cellebrite can, if it cracks the Iphone, access the decrypted messages from the signal app....which is expected behavior. Signal only encrypts messages in transit.
Say I ship a safe with gold. My recipient stores the gold in their home and hasn't locked the safe. If a thief breaks into the home, its not accurate to say they cracked the safe.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Cellebrite claimed it could decrypt the sqlcipher encrypted databases used by Signal and explained how they did it. The BBC and others reported that as Cellebrite cracked Signal.
What Cellebrite (as well as Elcomsoft and others) did may not be clever to you and me, but to the average corporate or police investigator or a lawyer, it's a huge help.
[ link to this | view in chronology ]
Re: Re: Re: Re:
"Expected" by whom? Do people choose do save all their messages forever, or does the app just do it without asking?
And do we know anything about how they "crack the Iphone"?
[ link to this | view in chronology ]
Re: Re: Re: Re:
I'm somehow reminded of the time when I saw an ad for a "toy" shipped out of China many years ago - must have been vintage windows XP days - a dongle pre-loaded with the most common cracking scripts meant to usurp control over wireless devices. Basically you just turned it on, waited for airshark to grab the relevant stream, then selected which connection you wanted to hack and pressed "go".
Didn't work for everything - but worked for every current household out-of-the-box security setup.
Cellebrite's devices seem to operate in this manner. And for most phone setups using the exact same template of security, this probably works pretty well.
[ link to this | view in chronology ]
tiny correction?
[ link to this | view in chronology ]
specially formatted but otherwise innocuous files
I hope they will be made available for storage and archive on individual devices.
[ link to this | view in chronology ]
Re: specially formatted but otherwise innocuous files
The problem is that as soon as Cellebrite gets its hands on one of them, Cellebrite learns about one of the vulnerabilities and also learns that that particular vulnerability is a priority. That means that the all the known ones get fixed much faster, and without Cellebrite having to invest in cleaning up the whole code base.
That's the whole reason for rolling them out in small numbers, to established accounts, using sharding. It could take a long time for Cellebrite to collect them all even if there are only 10 of them.
[ link to this | view in chronology ]
tiny correction?
{ok, how does one edit one's own post?}
[and hitting ENTER on the post Title actually /posts/ the empty Titled post?](instead of Carriage Return to empty Post Body)
anyhow:
the Department error was noticed in Crystal Ball,
but I had no way to contact anyone to express concern for:
"what-if-this-FEEL-into-the-wrong-hands"
perhaps should read:
"what-if-this-FELL-into-the-wrong-hands"
[emphasis added to draw attention]
[ link to this | view in chronology ]
Re: tiny correction?
Id note that general Web Browser UI design (and application UI Design for that matter) for more than a decade has used the carriage return as a submit. Getting a new line requires use of shift-enter (which in word processors provides a new line without creating a new paragraph bypassing default paragraph spacing settings). Carriage return is not used as form navigation tool in the modern era and hasn't been widely used as such in the PC space since at least Windows XP, but I think it was depreciated even in Win 3.1. Tab is generally the form navigation tool of choice
[ link to this | view in chronology ]
Re: Re: tiny correction?
@ James,
I don't want to argue so early in the morning, but I can say with impunity that I'm able to use the Enter key as I wish when in a Text Box, and it will create a new line, every time. To expect the Enter key to act as a "Submit" switch is an absolute no-no when using a text entry form (a Text Box). That's why designers put a "Submit" button just outside of the Text Box itself.
What likely happens, and I'm no stranger to this phenomenon, is that a laptop's touchpad is always looking for ways to screw the keyboardist by doing something that wasn't desired. If the hand is anywhere near the overly sensitive capacitance device (the touchpad), then depending on where the cursor was sitting, it's very conceivable that the Submit action was triggered, and the rest of the story is told in tears, such as Ceyarracks had to do. I finally just reached in and physically disconnected the bleepin' thing, and hooked up an external mouse. Renders the laptop's mobility a few index points lower, but I'm no longer frustrated at things happening when I don't want or expect them to happen.
[ link to this | view in chronology ]
Re: Re: Re: tiny correction?
You can't on Facebook. Enter submits. Same with twitter. But that doesn't matter, because you didn't indicate you were trying to make a new line. You discussed the enter key behavior from the "post title". Techdirt doesn't have a field that uses that label in the UI. But I can assume you mean the "Subject" box. The subject box is....a different text box than the body. That field would be properly limited to a single line with word wrap enabled. I had assumed you were trying to navigate to the main comment text box, which would be a move to a completely different field, not a new line, because that is what you described.
And I know you can't be talking about new lines in the body section of the comments. Because in the body section, where new lines are both expected and normal, enter works as you describe. So your issue is not a text box not creating a new line. Your issue is that you are trying to move from the Subject field to the Body field with enter, which is navigating a form. The use of enter for this purpose hasn't been in vogue for decades.
[ link to this | view in chronology ]
Re: tiny correction?
One does not edit One's posts. It just isn't a thing here.
[ link to this | view in chronology ]
Re: Re: tiny correction?
One does not simply edit one's posts.
[ link to this | view in chronology ]
Re: tiny correction?
"{ok, how does one edit one's own post?}"
You don't. You click preview and make sure things are correct before posting, or you say "mea culpa" and remain glad that an edit feature isn't here for the trolls to abuse.
[ link to this | view in chronology ]
Sounds like Cellbrite stuff will not be usable for the foreseeable future. I look forward to their response.
[ link to this | view in chronology ]
One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.
Another article identifies that as ffmpeg, so it's really likely there's an LGPL/GPL violation there. Makes me wonder about how much other open-source code might be in there.
[ link to this | view in chronology ]
Re:
You mean they are violating the law!?!?
Say it isn't so.
[ link to this | view in chronology ]
Evidence Chain Irrelevant
A big problem here is many Cellebrite customers are members of despotic regimes with scant care for due process -- little better than thugs. They won't care if the evidence is tainted.
[ link to this | view in chronology ]
Besides this, it's worth noting that Moxie didn't release enough information for people to exploit the vulnerabilities. Cellebrite will likely pull the same shit Microsoft was known for in the '90s: say that nobody's known to be exploiting this, and only a particularly sophisticated person (in today's language: "nation-state-level threat actor") would be able to execute code via the vulnerability. Oh, and by the way, we've fixed the problems he noted. (How's anyone going to prove that wrong? They only sell to the clueless—officially, to governments, but they must be clueless or corrupt if they didn't notify anyone of these obvious flaws—and Moxie's unlikely to come across another by chance.)
[ link to this | view in chronology ]
Re: Evidence Chain Irrelevant
Except when some astetically pleasing honeypots get read & the report says there is nothing there.
(Cause well despots don;t actually buy cellebrite people are guilty & never proven innocent)
Of course now that there is verifiable evidence that these extracts can be tampered with, without leaving traces & leave the extract device in a state where cellebrite or the cops (US) can't prove the extract has been modified well it sort of raises questions for courts... how can we trust you claiming they are a terrorist when you can't prove that what we see in the extract is whats actually on the phone.
[ link to this | view in chronology ]
Tim, what are you getting at with this? Did he add this statement after law enforcement were publically speculating?
Is it dangerous for Moxie to make a statement like this? A lot of places have laws that require lost property to be handled in a specific way when found by a non-owner. I think it would've been safer to just say someone gave or loaned it to him, even if that's a lie. Unless he had reason to believe it stolen, that wouldn't be an admission of any illegal activity on his part.
[ link to this | view in chronology ]
Compared to prosecutors changing their pants for the bad reason
[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
And in one fell swoop countless defense attorneys just needed to go change their pants for the good(if awkward) reason. Having it demonstrated that it's possible to undetectably corrupt the device such that it becomes impossible to trust the results it gives just made any evidence from it seriously questionable, and I suspect that countless defense attorneys will be arguing that any evidence gathered that way be tossed as inadmissible as a result, an argument that's going to be rather hard to refute with this finding.
[ link to this | view in chronology ]
"Fell off a truck" is still theft
Even if it really did fall off a truck, the device remains the property of the owner, not the person who found it. Moxie Marlinespike should immediately take steps to return this property to its lawful owner.
Of course I don't believe that story for a minute, but if Marlinespike finds it necessary to publicly admit to a crime in order to cover up the truth, what is he covering up?
[ link to this | view in chronology ]
Covering up a crime
Principals of plausible deniability tells me a friend of a friend in a precinct was able to secure one for him.
[ link to this | view in chronology ]
Re: Covering up a crime
Why would he lie about that? It wouldn't be a crime for him to possess or use borrowed hardware, unlike hardware that fell off a truck.
[ link to this | view in chronology ]
Why would he lie
Maybe to cover for the friend who procured it for him, who may have committed crimes but more importantly betrayed his blue brethren.
I suspect such a friend, if he was uncovered, would face more than dismissal.
[ link to this | view in chronology ]
Re: Covering up a crime
So then how do we know for sure that the device that Moxie "found" wasn't a setup device, a fake with real vons to make Moxie look foolish. Time will tell.
[ link to this | view in chronology ]
A "setup" device.
This is a possibility, but that would involve someone at the precinct knowing more about cracking phones than Celebrite, or Moxie.
That's the sort of multi-dimensional gaming that maybe the CIA would play with a rival agency, maybe.
[ link to this | view in chronology ]
“they're only sold to government agencies.”
That /MAY/ or may not be true today.
However the company’s products were long the go to for cell phone stores, and mobile device technicians. Purchasable directly from the company. Both T-Mobile and AT&T stores have them.
There are millions in private hands.
The products work great for cloning. Taking data from a damaged or broken phone and porting it to a replacement.
Selective extraction allows transfer from un-matched devices.
Not as useful today since device manufacturers have made it exceedingly easy to port between devices today. But for many many years they were used by technicians around the world.
[ link to this | view in chronology ]