Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns

from the distinct-lack-of-'what-if-this-feel-into-the-wrong-hands'-thinking-by-Ce dept

A pretty hilarious turn of events has led to Cellebrite's phone hacking tech being hacked by Signal's Moxie Marlinspike, revealing the tech law enforcement uses to pull data from seized phones is host to major security flaws.

According to Marlinspike, the Cellebrite came into his possession thanks to some careless package handling.

By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.

This must be what actually happened. I mean, there's a photo of a Cellebrite lying on the street. That should end any senseless law enforcement speculation about this device's origin story.

The fun starts immediately, with Marlinspike finding all sorts of things wrong with Cellebrite's own device security. This would seem to be a crucial aspect considering Cellebrite performs raw extractions of unvetted data from seized phones, which could result in the forced delivery of malware residing on the target device. But that doesn't appear to concern Cellebrite, which seems to feel its products will remain unmolested because they're only sold to government agencies.

Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.

Just one example of this carelessness is unpatched DLLs residing in the Cellebrite system software. One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.

This means it wouldn't be much of a hassle to target Cellebrite devices with code that could corrupt not only the current data extraction but also the results of every previous extraction performed by that device.

[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

That's a major problem because phone extractions are performed to secure evidence to use in criminal cases. If law enforcement agencies can't trust the data they've extracted or rely on the reports generated by Cellebrite to perform searches, they're going to find their evidence tossed or impossible to submit in the first place.

Further inspection of Cellebrite's software also shows the company has ported over chunks of Apple's proprietary code intact and is using it to assist in iPhone extractions. Presumably, Cellebrite hasn't obtained a license from Apple to use this code in its devices (and redistribute the code with every device sold), so perhaps we'll be hearing something from Apple's lawyers in the near future.

This table-turning was likely provoked by Cellebrite's incredibly questionable claim it had "cracked" Signal's encryption. Instead, as more information came out -- including its use in criminal cases -- it became clear Cellebrite did nothing more than anyone could do with an unlocked phone: open up the Signal app and obtain the content of those messages.

Fortunately for everyone not currently working for Cellebrite, a delivery incident occurred and a phone-hacking device was impacted. Signal isn't worried that Cellebrite can break its encryption. In fact, it doesn't appear to be worried at all. This examination of Cellebrite hacking tools will only result in a small cosmetic refresh for Signal.

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. [...] We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

Maybe this will force Cellebrite to care a bit more deeply about its security and the security of its customers. Or maybe it will brute force its way past this, assuming its customers still have that "our word against yours" thing that tends to work pretty well in court. But it's not the only player in the phone-cracking field. So it might want to step its security game up a bit. Or at least stop picking fights with encrypted services.

Filed Under: hacking, moxie marlinspike, signal, vulnerabilities
Companies: cellebrite

Schools Are Using Phone-Cracking Tech To Access The Contents Of Students' Devices

from the brave-new-hellscape dept

To the detriment of our nation's future, the future of our nation is increasingly being subjected to law enforcement's presents (and presence). On the plus side, it will help students grow up with a healthy distrust of their government.

We've put cops in schools so kids can be subjected to the same brutality adults receive. Disciplinary problems long-handled by schools and parents are now handled with handcuffs and criminal charges. The same questionable science that leads cops to believe future criminal acts can be predicted by algorithms and checklists is being wielded against children, turning their bad grades and spotty attendance records into criminal predicates.

Now, there's this: the use of high-tech hacking tools to forensically scrape kids' phones for evidence of alleged criminal acts.

In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child.

While this may have resulted in something that actually prevented further harm to a student, the fact that schools possess tools capable of bypassing device encryption is… well, horrifying. We're talking about minors here, not dangerous criminals. This case is not a great argument for the acquisition and use of phone-cracking tools by educators. There were many ways to approach this problem, but this one was the easiest. And it shows those selling phone-cracking tech don't really care who buys it or what they use it for.

Cracking a phone to scrape it for evidence gives investigators easy access to communications and other private info even a consenting minor wouldn't agree to share with others. But the tools can't make that distinction. And investigators assume consent for a search means looking at everything the tools give them access to.

The Cellebrite used in this case was owned by the local sheriff's office. That it decided it was appropriate to use on a minor's phone is disturbing, to say the least. It seems the same thing could have been accomplished by the minor providing them with access to the messages, which could have been documented and downloaded without engaging in a forensic search of the phone.

This isn't some sort of anomaly. As Gizmodo reports, multiple school districts are buying phone-cracking tech to access the content of students' devices.

In March 2020, the North East Independent School District, a largely Hispanic district north of San Antonio, wrote a check to Cellebrite for $6,695 for “General Supplies.” In May, Cypress-Fairbanks ISD near Houston, Texas, paid Oxygen Forensics Inc., another mobile device forensics firm, $2,899. Not far away, majority-white Conroe ISD wrote a check to Susteen Inc., the manufacturer of the similar Secure View system, for $995 in September 2016.

According to Gizmodo, only eight districts in the US acknowledge publicly (via their websites) that they own device-cracking tech. The actual number is definitely much higher. This total doesn't include law enforcement agencies that own or have access to the tech, and whose "school resource officers" might decide is necessary to investigate students or their accusations against school employees.

Deploying this tech to search students' phones isn't just irresponsible, it's dangerous. Cops and prosecutors have rarely been reluctant to turn consensual sharing of intimate images into the "production" of "child pornography." Dig deep enough into someone's phone and you'll find something incriminating. And that's if the cops are simply looking for evidence. Some cops like to look at stuff just because they have the access and the power to demand compliance. Access to this tech guarantees abuse. But in these cases, the victim will be a minor -- people who are assumed to be more vulnerable and whose lives can be ruined before they can even be started.

Filed Under: education, encryption, law enforcement, phone cracking, schools, surveillance
Companies: cellebrite, susteen

As The DOJ Continues To Complain About Encryption, Cellebrite (Again) Announces It Can Crack Any IPhone

from the do-y'all-not-get-the-internet? dept

On Monday, June 17, Deputy Attorney General Jeffrey Rosen said this during his speech to the National Sheriffs' Association:

In recent years, criminals have become more and more adept at using technology to avoid law enforcement in what we call “going dark.” While “going dark” has many manifestations, some of its greatest impacts are in the areas of encryption, in assuring the security of information. But, as you well know, encryption also allows criminals to frustrate law enforcement's access to evidence — even where a neutral judge has found probable cause and ordered that we have access to that evidence.

I guess the "going dark" crowd doesn't get out much.

On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago. Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9. No other law enforcement contractor has made such broad claims about a single product, at least not publicly.

It was announced very publicly. This wasn't a press release sent only to government agencies or the byproduct of leaked internal documents. It was announced on the company's Twitter account, letting everyone know Cellebrite is apparently beating almost every device maker at their own encryption game. Like GrayKey's offering, Cellebrite's updated encryption-breaker is hardware that can be used on site by purchasers, allowing law enforcement agencies to perform their own cracking and extraction.

Sure, the flaws used to bypass device security will be patched, and Cellebrite and its competitors will keep digging around in device hardware/software to find holes to exploit. The security vs. insecurity war will continue. But for all the weak arguments made by the head of the FBI -- especially the ones about Apple, etc. "profiting" from locking out law enforcement -- it would seem companies like Cellebrite are more likely to directly profit from device encryption. Encryption on phones is a standard offering, not a selling point. Tools that break encryption? Now, that's where the real money is.

Cellebrite, along with companies like GrayKey, are providing the solutions the FBI and DOJ think device manufacturers should be creating for them. We don't hear much from FBI officials about third party offerings because this agency would prefer a permanent fix delivered by Congress and the courts, rather than spend any of their own money and time trying to find a solution. The FBI has been misleading and dishonest for the entirety of its "going dark" campaign, all the while claiming tech companies would willingly give the FBI what it wants -- encryption backdoors -- if they would just engage in an "honest" conversation about the issue.

Filed Under: doj, encryption, fbi, going dark, ios, iphone
Companies: apple, cellebrite

There Is No Going Dark: Another Vendor Selling Tool That Cracks All iPhones

from the FBI's-dystopian-fiction-develops-another-plot-hole dept

The FBI continues to push its "going dark" theory. It's not interested in the truth. It would rather have a legislative mandate or a string of favorable court decisions than utilize options vendors have made available. These are the candles the FBI will forgo to publicly curse the darkness. A recent Inspector General's report made it crystal clear: those charged with finding a way to crack open the San Bernardino shooter's cell phone slow-walked their search in hopes of ending up with a judicial mandate forcing Apple to crack its own encryption.

The complaints about the darkness continue, even as vendors like Cellebrite have shown they can crack any iPhone given enough money and time. There are solutions out there, but the FBI doesn't want them. Cellebrite isn't the only company with an iPhone crack for sale. As Joseph Cox reports for Motherboard, another device has surfaced that can brute force its way past iPhone lock screens. The FBI may continue its disingenuous push for weakened encryption, but law enforcement agencies around the nation are more than willing to pay for a solution that doesn't involve Congressional reps or federal judges.

Grayshift has been shopping its iPhone cracking technology to police forces. The firm, which includes an ex-Apple security engineer on its staff, provided demonstrations to potential customers, according to one email.

"I attended your demo presentation recently held at the Montgomery County Police Headquarters and was pleased by your product's potential," an Assistant Commander from the Technical Investigations Section at the Maryland State Police wrote in an email to Grayshift in March.

The GrayKey itself is a small, 4x4 inches box with two lightning cables for connecting iPhones, according to photographs published by cybersecurity firm Malwarebytes. The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants. Marketing material seen byForbes says GrayKey can unlock devices running iterations of Apple's latest mobile operating system iOS 11, including on the iPhone X, Apple's most recent phone.

According to documents obtained by Motherboard, multiple state and local law enforcement agencies have purchased Grayshift's device. The documents also show many agencies expressing an interest in picking up a GrayKey, including some at the federal level, like the DEA and, oddly enough, the FBI. The FBI doesn't appear to have acquired one yet, but if that's the case, it's lagging behind local PDs with less funding and tech expertise. It's also trailing the State Department, which has already acquired at least one of the devices.

The device comes in two flavors: an online version with a fixed number of unlocks or an offline version that retails for twice as much ($30,000) but can be used as often as the purchaser wants (or until Apple fixes the vulnerability, whichever comes first). The brute force method deployed takes anywhere from 2 hours to several days, depending on passcode complexity.

"Going dark" is a convenient lie. The FBI has been deliberately misconstruing reality for a couple of years now, beginning with then-director James Comey's coining of the phrase. Even while Comey was peddling his "going dark" theory to security researchers, Congressional reps, and federal judges, the FBI was rarely having trouble accessing device contents. In 2016, the FBI admitted it could access the contents of passcode-protected devices 87% of the time. Somehow, despite only incremental changes in encryption offerings, the small number of locked devices has grown from ~880 to over 7,000 in two years. This suggests FBI officials are more interested in generating a "going dark" narrative than actually deploying available tech to access contents of seized devices.

The existence of another device capable of cracking iPhone encryption should be good news for the FBI. Other law enforcement agencies apparently view this as a plus. The downside for those not employed by the government is that there's a vulnerability in iPhones Apple hasn't fixed yet. And, given the intense secrecy surrounding vendors of exploits, we have no idea how many governments have purchased iPhone-cracking devices. It's unlikely Hacking Team is the only exploit vendor selling to authoritarian governments and UN-blacklisted countries. It's just the only one to have been caught doing it. An exploit is an exploit and it will be used by the good and the bad.

Not that relegating it to "good" law enforcement agencies is necessarily a huge improvement. Authoritarian regimes may use tools like this to go after critics and stifle dissent, but let's not forget the FBI has a long history of doing exactly the same thing under the guise of protecting public safety. And, at this point, the FBI isn't being honest about its weapons stockpiles during this Crypto Cold War. Sure, it needs to retain some sort of tactical advantage -- whether it's pursuing bad guys or legislation -- but it should never be granted full credibility when it talks about thousands of unlocked phones, the coming darkness, and how much security we should be forced to give up in the name of public safety.

Filed Under: doj, encryption, fbi, going dark, hacking, iphones, smartphones
Companies: apple, cellebrite, grayshift

Israeli Tech Company Says It Can Crack Any Apple Smartphone

from the thus-endeth-the-going-dark-conversation dept

Could this be the answer to FBI Director Chris Wray's call for broken device encryption?

In what appears to be a major breakthrough for law enforcement, and a possible privacy problem for Apple customers, a major U.S. government contractor claims to have found a way to unlock pretty much every iPhone on the market.

Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

Big, if true, but not exactly the answer Wray, and others like him, are seeking. Cellebrite claims it can crack any Apple device, including Apple's latest iPhone. This is a boon for law enforcement, as long as they have the money to spend on it and the time to send the device to Cellebrite to crack it.

It won't scale because it can't. The FBI claims it has thousands of locked devices -- not all of them Apple products -- and no one from Cellebrite is promising fast turnaround times. Even if it was low-cost and relatively scalable, it's unlikely to keep Wray from pushing for a government mandate. Whatever flaw in the architecture is being exploited by Cellebrite is likely to be patched up by Apple as soon as it can figure out the company's attack vector. And, ultimately, the fact that it doesn't scale isn't something to worry about (though the FBI doubtless will). No one said investigating criminal activity was supposed to easy and, in fact, a handful of Constitutional amendments are in place to slow law enforcement's roll to prevent the steamrolling of US citizens.

Cellebrite's service apparently disables lockscreen protection, allowing the company to root around in the phone's innards to pull out whatever law enforcement is seeking. This also apparently works with Android devices, although that news is far less surprising than discovering Apple's security measures have been defeated. Default encryption isn't an option for all Android devices and that operating system is generally considered to be the a pile of vulnerabilities d/b/a consumer software.

While this won't end calls for weakened encryption, it does at least give law enforcement agencies another option to deploy against locked devices. But I don't expect it to change the rhetoric. Those calling for "responsible encryption" don't really want private sector solutions, no matter how much they claim to want to hold a "conversation" about lawful access. They want tech company subservience. They want the government -- via judicial, executive, or legislative branch -- to put companies in their place. In their opinion, tech companies have been getting uppity and forgetting the private sector exists to serve the government. It's not just a Chris Wray problem. Plenty of government officials feel the same way. But the complaints about "going dark" are going to ring that much hollower when solutions are being offered by private companies other than the ones the FBI is just dying to smack around.

Filed Under: cracking, encryption, going dark, iphone, privacy, responsible encryption
Companies: apple, cellebrite

Cell Phone Hacking Company Hacked; 900 GB Of Logins, Log Files, And Forensic Evidence Taken

from the let-he-who-is-without-security-breaches-throw-the-first-All-Writs-Order dept

Everything is compromised. In the latest case of a hacking company being hacked, Israel's Cellebrite is the latest to have its internal data hauled off by hackers. Joseph Cox of Motherboard was given inside details by the crew that claims to have spirited away login info and other data from the cell phone-cracking company.

Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite's products.

Included in the data haul are some other nifty surprises: evidence files from forensic searches of cell phones and logs from Cellebrite devices.

Cellebrite is a major supplier to US law enforcement, as well as to government agencies in countries with sketchier human rights records like Turkey, Russia, and the United Arab Emirates. In many ways, the company is similar to Italy's Hacking Team, which found itself hacked and its emailed dirty laundry aired by enterprising hackers unimpressed by the company's malleable morality.

What's truly interesting about this hack (and those similar to it) is that they go right to the heart of what's wrong with the DOJ's insistence that any "one-time" phone crack -- like the one they pursued in the San Bernardino mass shooting case -- would be safe as houses in the government's hands.

Riana Pfefferkorn -- who helped write an amicus brief on Apple's behalf (along with several other security researchers and professors) -- pointed out on Twitter that Cellebrite's hacking is exactly the sort of risk the government refused to seriously contemplate during its pursuit of an All Writs Order forcing Apple to open up the phone for the FBI.

If such a hack were created by Apple in response to a court order, there's no way for the FBI, Apple, or anyone else to plausibly claim it would be kept out of the hands of malicious actors. Companies in the business of breaking into devices aren't impervious to outside attacks. Neither is the US government, which has proven consistently weak when it comes to securing the massive amount of personally-identifiable information it collects from US citizens.

So far, the collected files haven't been shown to anyone but a few journalists, but Cox points out unauthorized access to Cellebrite isn't exactly a new thing.

Access to Cellebrite's systems has been traded among a select few in IRC chat rooms, according to the hacker.

“To be honest, had it not been for the recent stance taken by Western governments no one would have known but us,” the hacker told Motherboard. The hacker expressed disdain for recent changes in surveillance legislation.

Cellebrite's response to the hack is to claim that the only thing affected was a legacy server for end user licenses. Customers are being encouraged to change their passwords, but that comes a little too late to do much good. That license server may be the only thing breached through unauthorized means, but the log files and obtained evidence the hackers appear to have could easily have been taken out of the front end with compromised credentials.

The underlying fact is this: breaking protections like encryption or purchasing exploits to defeat it is something the FBI and other law enforcement entities will continue to advocate for, even while aware that it's impossible to claim definitively that the tools used won't be hijacked by someone else with more malicious motives. The Shadow Brokers' heist of NSA exploits shows that even if the government takes steps to protect what it has stored on its own servers, it can't prevent a disgruntled analyst from leaving a blackhat toolbag behind for others to find once a surveillance job is finished.

Filed Under: backdoors, encryption, hacking, phones
Companies: cellebrite