Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns

from the distinct-lack-of-'what-if-this-feel-into-the-wrong-hands'-thinking-by-Ce dept

A pretty hilarious turn of events has led to Cellebrite's phone hacking tech being hacked by Signal's Moxie Marlinspike, revealing the tech law enforcement uses to pull data from seized phones is host to major security flaws.

According to Marlinspike, the Cellebrite came into his possession thanks to some careless package handling.

By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.

This must be what actually happened. I mean, there's a photo of a Cellebrite lying on the street. That should end any senseless law enforcement speculation about this device's origin story.

The fun starts immediately, with Marlinspike finding all sorts of things wrong with Cellebrite's own device security. This would seem to be a crucial aspect considering Cellebrite performs raw extractions of unvetted data from seized phones, which could result in the forced delivery of malware residing on the target device. But that doesn't appear to concern Cellebrite, which seems to feel its products will remain unmolested because they're only sold to government agencies.

Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.

Just one example of this carelessness is unpatched DLLs residing in the Cellebrite system software. One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.

This means it wouldn't be much of a hassle to target Cellebrite devices with code that could corrupt not only the current data extraction but also the results of every previous extraction performed by that device.

[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

That's a major problem because phone extractions are performed to secure evidence to use in criminal cases. If law enforcement agencies can't trust the data they've extracted or rely on the reports generated by Cellebrite to perform searches, they're going to find their evidence tossed or impossible to submit in the first place.

Further inspection of Cellebrite's software also shows the company has ported over chunks of Apple's proprietary code intact and is using it to assist in iPhone extractions. Presumably, Cellebrite hasn't obtained a license from Apple to use this code in its devices (and redistribute the code with every device sold), so perhaps we'll be hearing something from Apple's lawyers in the near future.

This table-turning was likely provoked by Cellebrite's incredibly questionable claim it had "cracked" Signal's encryption. Instead, as more information came out -- including its use in criminal cases -- it became clear Cellebrite did nothing more than anyone could do with an unlocked phone: open up the Signal app and obtain the content of those messages.

Fortunately for everyone not currently working for Cellebrite, a delivery incident occurred and a phone-hacking device was impacted. Signal isn't worried that Cellebrite can break its encryption. In fact, it doesn't appear to be worried at all. This examination of Cellebrite hacking tools will only result in a small cosmetic refresh for Signal.

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. [...] We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

Maybe this will force Cellebrite to care a bit more deeply about its security and the security of its customers. Or maybe it will brute force its way past this, assuming its customers still have that "our word against yours" thing that tends to work pretty well in court. But it's not the only player in the phone-cracking field. So it might want to step its security game up a bit. Or at least stop picking fights with encrypted services.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacking, moxie marlinspike, signal, vulnerabilities
Companies: cellebrite


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Apr 2021 @ 6:34am

    When will the sexting images between Micky and Minnie show up in court?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2021 @ 6:47am

    Who is going to tell Moxie about XRY (MSAB), Oxygen Forensics, Elcomsoft, X-Ways, EnCase (OpenText), FTK (Exterro), Belkasoft, Nuix, MobilEdit (Compelson), Axiom (Magnet Forensics) and all the other forensics software vendors.

    link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 26 Apr 2021 @ 8:20am

      Re:

      Moxie, as noted in the article, seems to have done this in response to Cellebrite public claim that it broke Signal's encryption. This was retaliation for Cellebrite's public lies, not a principled stance on cell phone encryption crackers or forensics software generally.

      link to this | view in chronology ]

      • icon
        Stephen T. Stone (profile), 26 Apr 2021 @ 8:43am

        Never underestimate the motivational power of spite.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Apr 2021 @ 8:52am

        Re: Re:

        Cellebrite's claim wasn't too dissimilar to those already made by Oxygen, Elcomsoft or Belkasoft. Cellebrite just showed their working.

        link to this | view in chronology ]

        • icon
          James Burkhardt (profile), 26 Apr 2021 @ 9:38am

          Re: Re: Re:

          Signal's encryption was not broken. Cellebrite claimed it broke the encryption.

          Cellebrite can, if it cracks the Iphone, access the decrypted messages from the signal app....which is expected behavior. Signal only encrypts messages in transit.

          Say I ship a safe with gold. My recipient stores the gold in their home and hasn't locked the safe. If a thief breaks into the home, its not accurate to say they cracked the safe.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 Apr 2021 @ 10:55am

            Re: Re: Re: Re:

            Cellebrite claimed it broke the encryption.

            Cellebrite claimed it could decrypt the sqlcipher encrypted databases used by Signal and explained how they did it. The BBC and others reported that as Cellebrite cracked Signal.

            What Cellebrite (as well as Elcomsoft and others) did may not be clever to you and me, but to the average corporate or police investigator or a lawyer, it's a huge help.

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 Apr 2021 @ 5:08pm

            Re: Re: Re: Re:

            Cellebrite can, if it cracks the Iphone, access the decrypted messages from the signal app....which is expected behavior.

            "Expected" by whom? Do people choose do save all their messages forever, or does the app just do it without asking?

            And do we know anything about how they "crack the Iphone"?

            link to this | view in chronology ]

          • icon
            Scary Devil Monastery (profile), 27 Apr 2021 @ 12:17am

            Re: Re: Re: Re:

            I'm somehow reminded of the time when I saw an ad for a "toy" shipped out of China many years ago - must have been vintage windows XP days - a dongle pre-loaded with the most common cracking scripts meant to usurp control over wireless devices. Basically you just turned it on, waited for airshark to grab the relevant stream, then selected which connection you wanted to hack and pressed "go".

            Didn't work for everything - but worked for every current household out-of-the-box security setup.

            Cellebrite's devices seem to operate in this manner. And for most phone setups using the exact same template of security, this probably works pretty well.

            link to this | view in chronology ]

  • icon
    Ceyarrecks (profile), 26 Apr 2021 @ 8:13am

    tiny correction?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2021 @ 8:18am

    specially formatted but otherwise innocuous files

    I hope they will be made available for storage and archive on individual devices.

    link to this | view in chronology ]

    • identicon
      Sok Puppette, 26 Apr 2021 @ 9:25am

      Re: specially formatted but otherwise innocuous files

      The problem is that as soon as Cellebrite gets its hands on one of them, Cellebrite learns about one of the vulnerabilities and also learns that that particular vulnerability is a priority. That means that the all the known ones get fixed much faster, and without Cellebrite having to invest in cleaning up the whole code base.

      That's the whole reason for rolling them out in small numbers, to established accounts, using sharding. It could take a long time for Cellebrite to collect them all even if there are only 10 of them.

      link to this | view in chronology ]

  • icon
    Ceyarrecks (profile), 26 Apr 2021 @ 8:18am

    tiny correction?

    {ok, how does one edit one's own post?}
    [and hitting ENTER on the post Title actually /posts/ the empty Titled post?](instead of Carriage Return to empty Post Body)

    anyhow:

    the Department error was noticed in Crystal Ball,
    but I had no way to contact anyone to express concern for:
    "what-if-this-FEEL-into-the-wrong-hands"

    perhaps should read:

    "what-if-this-FELL-into-the-wrong-hands"
    [emphasis added to draw attention]

    link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 26 Apr 2021 @ 8:32am

      Re: tiny correction?

      Id note that general Web Browser UI design (and application UI Design for that matter) for more than a decade has used the carriage return as a submit. Getting a new line requires use of shift-enter (which in word processors provides a new line without creating a new paragraph bypassing default paragraph spacing settings). Carriage return is not used as form navigation tool in the modern era and hasn't been widely used as such in the PC space since at least Windows XP, but I think it was depreciated even in Win 3.1. Tab is generally the form navigation tool of choice

      link to this | view in chronology ]

      • icon
        sumgai (profile), 26 Apr 2021 @ 9:45am

        Re: Re: tiny correction?

        @ James,

        I don't want to argue so early in the morning, but I can say with impunity that I'm able to use the Enter key as I wish when in a Text Box, and it will create a new line, every time. To expect the Enter key to act as a "Submit" switch is an absolute no-no when using a text entry form (a Text Box). That's why designers put a "Submit" button just outside of the Text Box itself.

        What likely happens, and I'm no stranger to this phenomenon, is that a laptop's touchpad is always looking for ways to screw the keyboardist by doing something that wasn't desired. If the hand is anywhere near the overly sensitive capacitance device (the touchpad), then depending on where the cursor was sitting, it's very conceivable that the Submit action was triggered, and the rest of the story is told in tears, such as Ceyarracks had to do. I finally just reached in and physically disconnected the bleepin' thing, and hooked up an external mouse. Renders the laptop's mobility a few index points lower, but I'm no longer frustrated at things happening when I don't want or expect them to happen.

        link to this | view in chronology ]

        • icon
          James Burkhardt (profile), 4 Aug 2021 @ 9:49am

          Re: Re: Re: tiny correction?

          You can't on Facebook. Enter submits. Same with twitter. But that doesn't matter, because you didn't indicate you were trying to make a new line. You discussed the enter key behavior from the "post title". Techdirt doesn't have a field that uses that label in the UI. But I can assume you mean the "Subject" box. The subject box is....a different text box than the body. That field would be properly limited to a single line with word wrap enabled. I had assumed you were trying to navigate to the main comment text box, which would be a move to a completely different field, not a new line, because that is what you described.

          And I know you can't be talking about new lines in the body section of the comments. Because in the body section, where new lines are both expected and normal, enter works as you describe. So your issue is not a text box not creating a new line. Your issue is that you are trying to move from the Subject field to the Body field with enter, which is navigating a form. The use of enter for this purpose hasn't been in vogue for decades.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2021 @ 1:48pm

      Re: tiny correction?

      One does not edit One's posts. It just isn't a thing here.

      link to this | view in chronology ]

    • icon
      PaulT (profile), 27 Apr 2021 @ 5:25am

      Re: tiny correction?

      "{ok, how does one edit one's own post?}"

      You don't. You click preview and make sure things are correct before posting, or you say "mea culpa" and remain glad that an edit feature isn't here for the trolls to abuse.

      link to this | view in chronology ]

  • icon
    Nathan F (profile), 26 Apr 2021 @ 8:22am

    Sounds like Cellbrite stuff will not be usable for the foreseeable future. I look forward to their response.

    link to this | view in chronology ]

  • icon
    z! (profile), 26 Apr 2021 @ 8:28am

    One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.

    Another article identifies that as ffmpeg, so it's really likely there's an LGPL/GPL violation there. Makes me wonder about how much other open-source code might be in there.

    link to this | view in chronology ]

  • identicon
    Joel Coehoorn, 26 Apr 2021 @ 9:54am

    Evidence Chain Irrelevant

    If law enforcement agencies can't trust the data they've extracted or rely on the reports generated by Cellebrite to perform searches, they're going to find their evidence tossed or impossible to submit in the first place.

    A big problem here is many Cellebrite customers are members of despotic regimes with scant care for due process -- little better than thugs. They won't care if the evidence is tainted.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2021 @ 12:38pm

      Besides this, it's worth noting that Moxie didn't release enough information for people to exploit the vulnerabilities. Cellebrite will likely pull the same shit Microsoft was known for in the '90s: say that nobody's known to be exploiting this, and only a particularly sophisticated person (in today's language: "nation-state-level threat actor") would be able to execute code via the vulnerability. Oh, and by the way, we've fixed the problems he noted. (How's anyone going to prove that wrong? They only sell to the clueless—officially, to governments, but they must be clueless or corrupt if they didn't notify anyone of these obvious flaws—and Moxie's unlikely to come across another by chance.)

      link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 26 Apr 2021 @ 1:03pm

      Re: Evidence Chain Irrelevant

      Except when some astetically pleasing honeypots get read & the report says there is nothing there.
      (Cause well despots don;t actually buy cellebrite people are guilty & never proven innocent)

      Of course now that there is verifiable evidence that these extracts can be tampered with, without leaving traces & leave the extract device in a state where cellebrite or the cops (US) can't prove the extract has been modified well it sort of raises questions for courts... how can we trust you claiming they are a terrorist when you can't prove that what we see in the extract is whats actually on the phone.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2021 @ 12:44pm

    This must be what actually happened. I mean, there's a photo of a Cellebrite lying on the street. That should end any senseless law enforcement speculation about this device's origin story.

    Tim, what are you getting at with this? Did he add this statement after law enforcement were publically speculating?

    Is it dangerous for Moxie to make a statement like this? A lot of places have laws that require lost property to be handled in a specific way when found by a non-owner. I think it would've been safer to just say someone gave or loaned it to him, even if that's a lie. Unless he had reason to believe it stolen, that wouldn't be an admission of any illegal activity on his part.

    link to this | view in chronology ]

  • icon
    That One Guy (profile), 26 Apr 2021 @ 1:44pm

    Compared to prosecutors changing their pants for the bad reason

    [B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

    And in one fell swoop countless defense attorneys just needed to go change their pants for the good(if awkward) reason. Having it demonstrated that it's possible to undetectably corrupt the device such that it becomes impossible to trust the results it gives just made any evidence from it seriously questionable, and I suspect that countless defense attorneys will be arguing that any evidence gathered that way be tossed as inadmissible as a result, an argument that's going to be rather hard to refute with this finding.

    link to this | view in chronology ]

  • icon
    Paul (profile), 26 Apr 2021 @ 11:32pm

    "Fell off a truck" is still theft

    Even if it really did fall off a truck, the device remains the property of the owner, not the person who found it. Moxie Marlinespike should immediately take steps to return this property to its lawful owner.

    Of course I don't believe that story for a minute, but if Marlinespike finds it necessary to publicly admit to a crime in order to cover up the truth, what is he covering up?

    link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 27 Apr 2021 @ 1:36pm

      Covering up a crime

      Principals of plausible deniability tells me a friend of a friend in a precinct was able to secure one for him.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Apr 2021 @ 4:41pm

        Re: Covering up a crime

        Principals of plausible deniability tells me a friend of a friend in a precinct was able to secure one for him.

        Why would he lie about that? It wouldn't be a crime for him to possess or use borrowed hardware, unlike hardware that fell off a truck.

        link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 28 Apr 2021 @ 9:06pm

          Why would he lie

          Maybe to cover for the friend who procured it for him, who may have committed crimes but more importantly betrayed his blue brethren.

          I suspect such a friend, if he was uncovered, would face more than dismissal.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Apr 2021 @ 3:55pm

        Re: Covering up a crime

        So then how do we know for sure that the device that Moxie "found" wasn't a setup device, a fake with real vons to make Moxie look foolish. Time will tell.

        link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 28 Apr 2021 @ 9:09pm

          A "setup" device.

          This is a possibility, but that would involve someone at the precinct knowing more about cracking phones than Celebrite, or Moxie.

          That's the sort of multi-dimensional gaming that maybe the CIA would play with a rival agency, maybe.

          link to this | view in chronology ]

  • icon
    Lostinlodos (profile), 1 May 2021 @ 1:35pm

    “they're only sold to government agencies.”
    That /MAY/ or may not be true today.

    However the company’s products were long the go to for cell phone stores, and mobile device technicians. Purchasable directly from the company. Both T-Mobile and AT&T stores have them.

    There are millions in private hands.
    The products work great for cloning. Taking data from a damaged or broken phone and porting it to a replacement.
    Selective extraction allows transfer from un-matched devices.

    Not as useful today since device manufacturers have made it exceedingly easy to port between devices today. But for many many years they were used by technicians around the world.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.