Signal CEO Hacks Cellebrite Tool Police Use To Crack iOS And Android Phones, Makes Interesting Discoveries
Israeli-based digital intelligence company Cellebrite provides software that enables the extraction of data from devices. While law enforcement loves this, it raises ire from phone manufacturers and individuals alike, with privacy concerns abound. Interestingly, the CEO of Signal got their hands on one of these devices and managed to hack it, which provided some interesting insights, to say the least.
For context, Cellebrite software seems to exist in a moral and legal grey area, when law enforcement can unlock phones without authorization by the owner. While it is important to note that Cellebrite software requires the device to be in the hands of the person attempting to get data, this may not be difficult, depending on the situation. As the Wednesday blog post from Signal CEO Moxie Marlinspike explains, Cellebrite products have “often been linked to the persecution of imprisoned journalists and activists around the world,” which is not great for both privacy and human rights.
In any case, when Marlinspike got his hands on the Cellebrite software through sheer luck, it proved to be a great opportunity. As it turns out, the software focusing on mobile device security was not secure itself. The software package included outdated snippets of code and was missing “industry-standard exploit mitigation defenses,” according to Marlinspike. This lack of security allowed for numerous opportunities, with the ultimate possibility of executing arbitrary code on a Cellebrite machine.
This code execution could be done through a “specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned.” In one example, it is theoretically possible to modify both the current Cellebrite report being generated from a device and all previous and future reports. Marlinspike also put together a snakry clip reminiscent of the movie Hacker, which shows an edgy little message that they got to appear.
Furthermore, research into the Cellebrite software shows included Apple MSI installer packages which Apple digitally signs. Apple likely did not willingly provide these to be bundled with Cellebrite, which could pose legal issues outside of the other vulnerability issues. Of course, all of this could be a major problem for law enforcement as any app or device could contain one of these malicious files. Subsequently, Signal is willing to responsibly disclose this issue, provided Cellebrite does the same for the vulnerabilities they have found.
Until then, the Marlinspike also reports that “in completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage.” Supposedly these files are only for "aesthetics" and are important in software, so there is nothing to worry about for Signal customers but it could be problematic for Cellebrite customers. Anyhow, let us know what you think of this development, and if you will be downloading Signal so you too can have aesthetically pleasing software, in the comments below.