The company that reads cell phones for law enforcement around the world is making fun of tech nerds right now. A BBC entry claimed that Cellebrite cracked the Signal crypto app. Meanwhile, Signal fired back: Cellebrite’s UFED, which the Dutch police – and the Netherlands Forensic Institute (NFI) – also work with, is so poorly secured it wouldn’t actually produce reliable data.
Door @Wim van de Pol
Signal is an app that many citizens around the world use to call and text each other. The app is highly regarded in the tech community because the methodology (unlike Encro or Sky, for example) is public and transparent and the PGP encoding is unbreakable.
Cellebrite is a staunch companion of police forces in many countries. The Israeli company analyzes cell phones seized from suspects for police. The prosecution then uses this information in criminal cases and the judge (in part) convicts the suspects on this basis.
The outspoken CEO of Signal, Moxie marlinspike replied as if stung by a wasp: “No, Cellebrite cannot ‘break the signal encryption.” Wrote there on his blog. Moreover, Cellebrite doesn’t crack anything, it just sucks information from a phone.
Moxie Marlinspike was not done with Cellebrite yet. He started to hack. This week published it is the shameful result for Cellebrite. The flagship slash milking cow van Cellebrite – the UFED – contains over a hundred vulnerabilities.
Worse yet, when a phone is connected, no claim can be made on the reliability of what the device is reporting.
An “ incredible coincidence, ” writes Marlinspike:
Coincidentally, a Cellebrite bag fell off a truck the other day as I was walking.
Surprise soon struck, in Marlinspike. Also because Cellebrite says it produces “digital intelligence” for “a safer world”.
Since almost all of the code in Cellebrite exists to scan for untrusted entries that could be unexpectedly formatted to take advantage of memory corruption or other vulnerabilities in the scanning software, you can expect that Cellebrite was extremely careful.
But UFED was not sure.
The device’s software has not been updated since 2012, according to Signal. This makes every Cellebrite device a total loss from a safety standpoint, according to Marlinspike:
We have found that it is possible to execute arbitrary code on a Cellebrite machine simply by inserting a specially formatted, but otherwise harmless, file into an app on a device which is then connected to Cellebrite and scanned. There is virtually no limit to the code that can be executed.
There’s no older PC that’s easier to hack. But it’s much worse:
It is possible to run code that modifies not only the Cellebrite report created during this scan, but also any past and future generated reports that Cellebrite reports from all previously scanned devices and all future scanned devices from whatever any way (insert or delete text, emails, photos, contacts, files or other data), with no timestamp changes or detectable checksum errors. In fact, this could happen arbitrarily and seriously question the data integrity of Cellebrite’s reports.
And a reliable report is what a tribunal is – if all goes well.
Now that this is known, anyone can prepare their phone in such a way that the moment a police officer plugs in a Cellebrite cable, UFED goes crazy, or changes or deletes information on their phone, for example. (text continues under the ad)
Marlinspike implies that in terms of security, the situation of UFED in Cellebrite is hopeless.
Until Cellebrite is able to accurately patch all vulnerabilities in its software with extreme confidence, the only remedy available to a Cellebrite user is not to scan devices.
Even updating with over a hundred software fixes is no guarantee, Marlinspike said. So stop using Cellebrite UFED.
Marlinspike says she’s ready to reveal to Cellebrite the specific vulnerabilities Signal now knows about them, and that they may not have mapped themselves out, but on one condition:
If they do the same for any vulnerabilities they use in their physical extraction and other services to their respective vendors now and in the future.
As a bonus, Marlinspike states that Cellebrite apparently stole Apple’s software for ripping his iPhone.
It seems unlikely to us that Apple allowed Cellebrite to redistribute Apple DLLs and include them in its own product, which could pose a legal risk to Cellebrite and its users.
Apple attorneys are known for their limited ability to put real estate law into perspective.
Marlinspike makes no secret of having hated Cellebrite before anyway, as they also sell their software and devices to regimes that are not so close to human rights, like Belarus, Russia, Venezuela, China and the United States. army in Myanmar.
Signal also made a video of it:
Our latest blog post explores vulnerabilities and possible Apple copyright infringements in Cellebrite’s software:
– Signal (@signalapp) April 21, 2021