Click to Skip Ad
Closing in...
  1. AirPods 2 Price
    11:46 Deals

    Amazon’s AirPods 2 price is the lowest it’s been all year, but not for much lo…

  2. Best Robot Vacuum Deals
    13:00 Deals

    Amazon’s best Roomba vacuum deal is the Roomba 675 for $199

  3. Best Camera Drone Under $100
    08:43 Deals

    Best camera drone under $100 gets a rare extra discount at Amazon

  4. Best Car Detailing Products
    14:14 Deals

    The best car detailing product is a $5.59 tool on Amazon that pros don’t want you to…

  5. Top Amazon Deals
    08:06 Deals

    10 top Amazon deals you can only get if you have Prime

Signal’s epic hack of Cellebrite already already has major consequences

April 28th, 2021 at 5:30 PM
Signal Cellebrite Hack

Encrypted instant messaging app Signal hacked security company Cellebrite a few days ago. The Signal developers showed that the app law enforcement agencies use around the world to extract information from iPhones and Android devices as part of criminal investigations has a few significant security flaws.

Signal discovered that Cellebrite software could be exploited to execute code that would modify reports about the smartphone being analyzed. But the hack could also compromise future and previous Cellebrite reports. Those changes would go unnoticed, so an attacker with access to a machine with Cellebrite software on it could impact digital evidence extraction without risking exposure. Furthermore, Signal indicated that placing content inside a smartphone app that does nothing for the app in question can be used to compromise Cellebrite software.

It turns out Signal’s disclosures had real, immediate, and foreseeable complications.

Today's Top Deal 88,000+ Amazon shoppers love these luxurious bed sheets that keep you cool at night! Price:$34.95 Buy Now Available from Amazon, BGR may receive a commission Available from Amazon BGR may receive a commission

Physical Analyzer, one of Cellebrite’s apps that extract data from iPhones, doesn’t fully support iPhones following the Signal disclosures. According to a document that 9to5Mac saw, Cellebrite has stopped offering data analysis on iPhones following the Signal hack. Cellebrite updated the software to patch some of the vulnerabilities, although it appears it wasn’t able to fix them all. The company reportedly instructed customers to use UFED, its other data extraction app, to grab data from the iPhone and then move it to Physical Analyzer.

This isn’t Cellebrite’s only Signal-related problem. A Maryland lawyer decided to challenge the conviction of one of his clients in a case where the prosecution relied “heavily” on Cellebrite evidence. The client was charged in relation to an armed robbery, Gizmodo explains. Ramon Rozas told the blog a “new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself.”

The fact that defense attorneys would attempt to take advantage of Signal’s findings isn’t surprising given what the Signal developers found — here’s a quote from the blog post that detailed the Cellebrite vulnerabilities:

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

This language is enough to give lawyers a way to attack Cellebrite findings in trials and appeals. However, proving that someone accessed, hacked, and modified Cellebrite software on the computers of law enforcement who investigated a suspect will be a challenging task. Signal did say that the newly discovered vulnerabilities can be exploited without leaving any traces. While proving someone tampered with digital evidence from an iPhone seems next to impossible, raising questions about the reliability of Cellebrite data might be enough in some cases.

Today's Top Deal The best Alexa smart plugs on Amazon are somehow down to just $5 each! List Price:$24.99 Price:$19.99 You Save:$5.00 (20%) Buy Now Available from Amazon, BGR may receive a commission Available from Amazon BGR may receive a commission

Chris Smith started writing about gadgets as a hobby, and before he knew it he was sharing his views on tech stuff with readers around the world. Whenever he's not writing about gadgets he miserably fails to stay away from them, although he desperately tries. But that's not necessarily a bad thing.

Popular News