Encrypted instant messaging app Signal hacked security company Cellebrite a few days ago. The Signal developers showed that the app law enforcement agencies use around the world to extract information from iPhones and Android devices as part of criminal investigations has a few significant security flaws.
Signal discovered that Cellebrite software could be exploited to execute code that would modify reports about the smartphone being analyzed. But the hack could also compromise future and previous Cellebrite reports. Those changes would go unnoticed, so an attacker with access to a machine with Cellebrite software on it could impact digital evidence extraction without risking exposure. Furthermore, Signal indicated that placing content inside a smartphone app that does nothing for the app in question can be used to compromise Cellebrite software.
It turns out Signal’s disclosures had real, immediate, and foreseeable complications.
Physical Analyzer, one of Cellebrite’s apps that extract data from iPhones, doesn’t fully support iPhones following the Signal disclosures. According to a document that 9to5Mac saw, Cellebrite has stopped offering data analysis on iPhones following the Signal hack. Cellebrite updated the software to patch some of the vulnerabilities, although it appears it wasn’t able to fix them all. The company reportedly instructed customers to use UFED, its other data extraction app, to grab data from the iPhone and then move it to Physical Analyzer.
This isn’t Cellebrite’s only Signal-related problem. A Maryland lawyer decided to challenge the conviction of one of his clients in a case where the prosecution relied “heavily” on Cellebrite evidence. The client was charged in relation to an armed robbery, Gizmodo explains. Ramon Rozas told the blog a “new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself.”
The fact that defense attorneys would attempt to take advantage of Signal’s findings isn’t surprising given what the Signal developers found — here’s a quote from the blog post that detailed the Cellebrite vulnerabilities:
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
This language is enough to give lawyers a way to attack Cellebrite findings in trials and appeals. However, proving that someone accessed, hacked, and modified Cellebrite software on the computers of law enforcement who investigated a suspect will be a challenging task. Signal did say that the newly discovered vulnerabilities can be exploited without leaving any traces. While proving someone tampered with digital evidence from an iPhone seems next to impossible, raising questions about the reliability of Cellebrite data might be enough in some cases.
