Moxie Marlinspike, the CEO of Signal, has hacked and trolled Cellebrite in the best possible way. This is the kind of epic hack that will not make sense to people unless they’re familiar with iPhone security and encryption.
Signal is an end-to-end encrypted chat app that works on iPhone and Android. It features the same strong encryption as iMessage and WhatsApp but collects even less data than Apple’s messaging app. Signal is one of the apps that millions of people flocked to a few months ago when Facebook started warning WhatsApp users that it would start collecting more data. Of note, even Mark Zuckerberg apparently uses Signal.
Cellebrite is an Israeli security company that makes software that can crack encryption. Cellebrite often comes up in reports detailing law enforcement efforts to hack encrypted devices. It’s also the company that was suspected until recently to have broken into the infamous San Bernardino iPhone. It didn’t. The company is still often criticized for its apparent willingness to provide assistance to repressive regimes.
In an epic turn of events, it appears as though Cellebrite’s software has massive security issues and the vulnerabilities that Signal CEO discovered might be problematic for the security company. On top of that, Cellebrite might be using Apple software without a license.
It might be surprising to hear that Signal is interested in hacking Cellebrite, but those familiar with these two companies might remember that Cellebrite claimed a few months ago that it can crack Signal’s encryption. Signal already blasted Cellebrite’s claims that it has “advanced techniques” for breaking Signal’s encryption. This unexpected “war” apparently prompted Marlinspike & Co. to look into Cellebrite’s own app security.
The CEO explains that Cellebrite has two pieces of software that are routinely used to hack smartphones, including UFED and Physical Analyzer — from the blog:
UFED creates a backup of your device onto the Windows machine running UFED (it is essentially a frontend to adb backup on Android and iTunes backup on iPhone, with some additional parsing). Once a backup has been created, Physical Analyzer then parses the files from the backup in order to display the data in browsable form.
To hack a phone, Cellebrite would need physical access to the handset. The CEO explained that when Cellebrite said it could hack Signal, what the company really meant was that it “had added support to Physical Analyzer for the file formats used by Signal.” This allows the apps to display Signal data extracted from an unlocked device. Any app on the phone can be accessed if the phone is unlocked, and Cellebrite does precisely that by automating the process.
He then explained that Cellebrite should have security protections in its software to prevent the apps from opening and executing malicious code from the apps on an iPhone or Android. But the Israeli company failed to protect its own software against hackers:
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
This whole security war between Signal and Cellebrite might seem hilarious, but the matter is actually quite serious. The bugs that Marlinspike found would allow an attacker to compromise the output from Cellebrite apps on a Windows computer without leaving a trace. This could have profound implications for the reliability of forensic evidence obtained from smartphones via Cellebrite’s hacks — from the blog:
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
The CEO said that Signal is willing to disclose the vulnerabilities it used as long as Cellebrite will do the same thing with the vulnerabilities it uses to unlock devices. He proved in the best possible way that someone can inject code in Cellebrite apps, as seen in the following video.
Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite's software:
"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective"https://t.co/DKgGejPu62 pic.twitter.com/X3ghXrgdfo
— Signal (@signalapp) April 21, 2021
Marlinspike also provided evidence that shows Cellebrite is using software that Apple created and signed:
It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.
To top it all off, the CEO said that future Signal app versions will include files that aren’t required for Signal functionality. But they look nice:
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
You know exactly what that means if you’ve read Signal’s description of how Cellebrite software extracts app content and how the bugs work.
Topping it all off, Cellbrite gave Gizmodo precisely the kind of PR response you would expect following a vulnerability disclosure:
Cellebrite enables customers to protect and save lives, accelerate justice and preserve privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community. Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available.
Signal’s full post about Cellebrite’s vulnerabilities is available at this link.