It hasn’t been a while that the forensic firm Cellebrite claimed to have decrypted Signal. And now, we see Signal turning the tables. Recently, the CEO of the private messaging app Signal has highlighted security vulnerabilities in the Cellebrite software.
Signal Pointed Out Cellebrite Software Vulnerabilities
In a recent blog post, Signal app CEO, Moxie Marlinspike, has shared details about some vulnerabilities in the Cellebrite software.
Cellebrite – the Israel-based digital forensics firm – takes pride in its technology to crack mobile phones, including iPhones. For this, the firm seemingly facilitates law enforcement authorities across many countries for criminal investigations involving mobile phones.
How the tool works
As he explained, Marlinspike got a chance to get his hands on Cellebrite’s UFED and Physical Analyzer. He observed that UFED basically serves as a way to create the backup of the target Android or iPhone device onto a Windows device. Once done, the Physical Analyzer then parses the data from the backup and presents it in a readable form.
However, the tools need to have the device in an unlocked state to proceed.
While parsing the data from the target phone, Cellebrite software has no primary control over the data. It simply processes what the apps in the device control. Precisely, the software parses data from ‘untrusted’ sources. This situation exposes the tool to a range of potential vulnerabilities as the software cannot predict the ‘correct’ data formats.
The problems
What Marlinspike noticed was that instead of having enough defense mechanisms to cope with potential yet unknown threats, Cellebrite’s tool lacked security.
One such problem is the presence of old FFmpeg DLLs. Despite many updates, the FFmpeg DLLs in the software has received no updates since 2012.
This makes the tool vulnerable to deliberate cyber-attacks if an attacker places a seemingly innocuous file in an app. A possible consequence of such attacks might include the modification of Cellebrite’s recent and all previous scan reports. As stated,
By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Marlinspike has shared the followed video demonstrating a UFED exploit. HE confirmed that similar bugs also affect the Physical Analyzer.
Another problem was the use of Apple DLLs by Cellebrite to extract data from iOS devices. These DLLs appear to have been extracted from the Windows installer for iTunes version 12.9.0.167. Since it’s unlikely that Apple would have allowed Cellebrite to use the DLLs, it poses legal risks as well.
Any solution?
According to Moxie, at present, the only way users and Cellebrite have to avoid these problems is to simply not scan a device. Whereas, Cellebrite should consider updating their software in a way that it stops scanning high-risk apps.
Still, “that is no guarantee”.
Cellebrite hasn’t yet commented on this finding.