Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns
from the distinct-lack-of-'what-if-this-feel-into-the-wrong-hands'-thinking-by-Ce dept
A pretty hilarious turn of events has led to Cellebrite’s phone hacking tech being hacked by Signal’s Moxie Marlinspike, revealing the tech law enforcement uses to pull data from seized phones is host to major security flaws.
According to Marlinspike, the Cellebrite came into his possession thanks to some careless package handling.
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
This must be what actually happened. I mean, there’s a photo of a Cellebrite lying on the street. That should end any senseless law enforcement speculation about this device’s origin story.
The fun starts immediately, with Marlinspike finding all sorts of things wrong with Cellebrite’s own device security. This would seem to be a crucial aspect considering Cellebrite performs raw extractions of unvetted data from seized phones, which could result in the forced delivery of malware residing on the target device. But that doesn’t appear to concern Cellebrite, which seems to feel its products will remain unmolested because they’re only sold to government agencies.
Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.
Just one example of this carelessness is unpatched DLLs residing in the Cellebrite system software. One DLL used to handle extracted video content hasn’t been updated since 2012, ignoring more than 100 patches that have been made available since then.
This means it wouldn’t be much of a hassle to target Cellebrite devices with code that could corrupt not only the current data extraction but also the results of every previous extraction performed by that device.
[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
That’s a major problem because phone extractions are performed to secure evidence to use in criminal cases. If law enforcement agencies can’t trust the data they’ve extracted or rely on the reports generated by Cellebrite to perform searches, they’re going to find their evidence tossed or impossible to submit in the first place.
Further inspection of Cellebrite’s software also shows the company has ported over chunks of Apple’s proprietary code intact and is using it to assist in iPhone extractions. Presumably, Cellebrite hasn’t obtained a license from Apple to use this code in its devices (and redistribute the code with every device sold), so perhaps we’ll be hearing something from Apple’s lawyers in the near future.
This table-turning was likely provoked by Cellebrite’s incredibly questionable claim it had “cracked” Signal’s encryption. Instead, as more information came out — including its use in criminal cases — it became clear Cellebrite did nothing more than anyone could do with an unlocked phone: open up the Signal app and obtain the content of those messages.
Fortunately for everyone not currently working for Cellebrite, a delivery incident occurred and a phone-hacking device was impacted. Signal isn’t worried that Cellebrite can break its encryption. In fact, it doesn’t appear to be worried at all. This examination of Cellebrite hacking tools will only result in a small cosmetic refresh for Signal.
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. […] We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
Maybe this will force Cellebrite to care a bit more deeply about its security and the security of its customers. Or maybe it will brute force its way past this, assuming its customers still have that “our word against yours” thing that tends to work pretty well in court. But it’s not the only player in the phone-cracking field. So it might want to step its security game up a bit. Or at least stop picking fights with encrypted services.
Filed Under: hacking, moxie marlinspike, signal, vulnerabilities
Companies: cellebrite
Comments on “Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns”
When will the sexting images between Micky and Minnie show up in court?
Re: Re:
As soon as we see the divorce trial due to Minnie’s adulterous affair with Goofy.
Re: Re: Re:
I never said Minnie was crazy I said she was F*&@ing Goofy
Who is going to tell Moxie about XRY (MSAB), Oxygen Forensics, Elcomsoft, X-Ways, EnCase (OpenText), FTK (Exterro), Belkasoft, Nuix, MobilEdit (Compelson), Axiom (Magnet Forensics) and all the other forensics software vendors.
Re: Re:
Moxie, as noted in the article, seems to have done this in response to Cellebrite public claim that it broke Signal’s encryption. This was retaliation for Cellebrite’s public lies, not a principled stance on cell phone encryption crackers or forensics software generally.
Re: Re:
Never underestimate the motivational power of spite.
Re: Re: Re: Re:
True, "Never underestimate the power of the dark side".
Re: Re: Re:
Cellebrite’s claim wasn’t too dissimilar to those already made by Oxygen, Elcomsoft or Belkasoft. Cellebrite just showed their working.
Re: Re: Re: Re:
Signal’s encryption was not broken. Cellebrite claimed it broke the encryption.
Cellebrite can, if it cracks the Iphone, access the decrypted messages from the signal app….which is expected behavior. Signal only encrypts messages in transit.
Say I ship a safe with gold. My recipient stores the gold in their home and hasn’t locked the safe. If a thief breaks into the home, its not accurate to say they cracked the safe.
Re: Re: Re:2 Re:
Cellebrite claimed it could decrypt the sqlcipher encrypted databases used by Signal and explained how they did it. The BBC and others reported that as Cellebrite cracked Signal.
What Cellebrite (as well as Elcomsoft and others) did may not be clever to you and me, but to the average corporate or police investigator or a lawyer, it’s a huge help.
Re: Re: Re:2 Re:
"Expected" by whom? Do people choose do save all their messages forever, or does the app just do it without asking?
And do we know anything about how they "crack the Iphone"?
Re: Re: Re:2 Re:
I’m somehow reminded of the time when I saw an ad for a "toy" shipped out of China many years ago – must have been vintage windows XP days – a dongle pre-loaded with the most common cracking scripts meant to usurp control over wireless devices. Basically you just turned it on, waited for airshark to grab the relevant stream, then selected which connection you wanted to hack and pressed "go".
Didn’t work for everything – but worked for every current household out-of-the-box security setup.
Cellebrite’s devices seem to operate in this manner. And for most phone setups using the exact same template of security, this probably works pretty well.
tiny correction?
specially formatted but otherwise innocuous files
I hope they will be made available for storage and archive on individual devices.
Re: specially formatted but otherwise innocuous files
The problem is that as soon as Cellebrite gets its hands on one of them, Cellebrite learns about one of the vulnerabilities and also learns that that particular vulnerability is a priority. That means that the all the known ones get fixed much faster, and without Cellebrite having to invest in cleaning up the whole code base.
That’s the whole reason for rolling them out in small numbers, to established accounts, using sharding. It could take a long time for Cellebrite to collect them all even if there are only 10 of them.
tiny correction?
{ok, how does one edit one’s own post?}
[and hitting ENTER on the post Title actually /posts/ the empty Titled post?](instead of Carriage Return to empty Post Body)
anyhow:
the Department error was noticed in Crystal Ball,
but I had no way to contact anyone to express concern for:
"what-if-this-FEEL-into-the-wrong-hands"
perhaps should read:
"what-if-this-FELL-into-the-wrong-hands"
[emphasis added to draw attention]
Re: tiny correction?
Id note that general Web Browser UI design (and application UI Design for that matter) for more than a decade has used the carriage return as a submit. Getting a new line requires use of shift-enter (which in word processors provides a new line without creating a new paragraph bypassing default paragraph spacing settings). Carriage return is not used as form navigation tool in the modern era and hasn’t been widely used as such in the PC space since at least Windows XP, but I think it was depreciated even in Win 3.1. Tab is generally the form navigation tool of choice
Re: Re: tiny correction?
@ James,
I don’t want to argue so early in the morning, but I can say with impunity that I’m able to use the Enter key as I wish when in a Text Box, and it will create a new line, every time. To expect the Enter key to act as a "Submit" switch is an absolute no-no when using a text entry form (a Text Box). That’s why designers put a "Submit" button just outside of the Text Box itself.
What likely happens, and I’m no stranger to this phenomenon, is that a laptop’s touchpad is always looking for ways to screw the keyboardist by doing something that wasn’t desired. If the hand is anywhere near the overly sensitive capacitance device (the touchpad), then depending on where the cursor was sitting, it’s very conceivable that the Submit action was triggered, and the rest of the story is told in tears, such as Ceyarracks had to do. I finally just reached in and physically disconnected the bleepin’ thing, and hooked up an external mouse. Renders the laptop’s mobility a few index points lower, but I’m no longer frustrated at things happening when I don’t want or expect them to happen.
Re: Re: Re: tiny correction?
You can’t on Facebook. Enter submits. Same with twitter. But that doesn’t matter, because you didn’t indicate you were trying to make a new line. You discussed the enter key behavior from the "post title". Techdirt doesn’t have a field that uses that label in the UI. But I can assume you mean the "Subject" box. The subject box is….a different text box than the body. That field would be properly limited to a single line with word wrap enabled. I had assumed you were trying to navigate to the main comment text box, which would be a move to a completely different field, not a new line, because that is what you described.
And I know you can’t be talking about new lines in the body section of the comments. Because in the body section, where new lines are both expected and normal, enter works as you describe. So your issue is not a text box not creating a new line. Your issue is that you are trying to move from the Subject field to the Body field with enter, which is navigating a form. The use of enter for this purpose hasn’t been in vogue for decades.
Re: tiny correction?
One does not edit One’s posts. It just isn’t a thing here.
Re: Re: tiny correction?
One does not simply edit one’s posts.
Re: tiny correction?
"{ok, how does one edit one’s own post?}"
You don’t. You click preview and make sure things are correct before posting, or you say "mea culpa" and remain glad that an edit feature isn’t here for the trolls to abuse.
Sounds like Cellbrite stuff will not be usable for the foreseeable future. I look forward to their response.
One DLL used to handle extracted video content hasn’t been updated since 2012, ignoring more than 100 patches that have been made available since then.
Another article identifies that as ffmpeg, so it’s really likely there’s an LGPL/GPL violation there. Makes me wonder about how much other open-source code might be in there.
Re: Re:
You mean they are violating the law!?!?
Say it isn’t so.
Evidence Chain Irrelevant
A big problem here is many Cellebrite customers are members of despotic regimes with scant care for due process — little better than thugs. They won’t care if the evidence is tainted.
Re:
Besides this, it’s worth noting that Moxie didn’t release enough information for people to exploit the vulnerabilities. Cellebrite will likely pull the same shit Microsoft was known for in the ’90s: say that nobody’s known to be exploiting this, and only a particularly sophisticated person (in today’s language: "nation-state-level threat actor") would be able to execute code via the vulnerability. Oh, and by the way, we’ve fixed the problems he noted. (How’s anyone going to prove that wrong? They only sell to the clueless—officially, to governments, but they must be clueless or corrupt if they didn’t notify anyone of these obvious flaws—and Moxie’s unlikely to come across another by chance.)
Re: Evidence Chain Irrelevant
Except when some astetically pleasing honeypots get read & the report says there is nothing there.
(Cause well despots don;t actually buy cellebrite people are guilty & never proven innocent)
Of course now that there is verifiable evidence that these extracts can be tampered with, without leaving traces & leave the extract device in a state where cellebrite or the cops (US) can’t prove the extract has been modified well it sort of raises questions for courts… how can we trust you claiming they are a terrorist when you can’t prove that what we see in the extract is whats actually on the phone.
Tim, what are you getting at with this? Did he add this statement after law enforcement were publically speculating?
Is it dangerous for Moxie to make a statement like this? A lot of places have laws that require lost property to be handled in a specific way when found by a non-owner. I think it would’ve been safer to just say someone gave or loaned it to him, even if that’s a lie. Unless he had reason to believe it stolen, that wouldn’t be an admission of any illegal activity on his part.
Compared to prosecutors changing their pants for the bad reason
[B]y including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
And in one fell swoop countless defense attorneys just needed to go change their pants for the good(if awkward) reason. Having it demonstrated that it’s possible to undetectably corrupt the device such that it becomes impossible to trust the results it gives just made any evidence from it seriously questionable, and I suspect that countless defense attorneys will be arguing that any evidence gathered that way be tossed as inadmissible as a result, an argument that’s going to be rather hard to refute with this finding.
"Fell off a truck" is still theft
Even if it really did fall off a truck, the device remains the property of the owner, not the person who found it. Moxie Marlinespike should immediately take steps to return this property to its lawful owner.
Of course I don’t believe that story for a minute, but if Marlinespike finds it necessary to publicly admit to a crime in order to cover up the truth, what is he covering up?
Re: Covering up a crime
Principals of plausible deniability tells me a friend of a friend in a precinct was able to secure one for him.
Re: Re: Covering up a crime
Why would he lie about that? It wouldn’t be a crime for him to possess or use borrowed hardware, unlike hardware that fell off a truck.
Re: Re: Re: Why would he lie
Maybe to cover for the friend who procured it for him, who may have committed crimes but more importantly betrayed his blue brethren.
I suspect such a friend, if he was uncovered, would face more than dismissal.
Re: Re: Covering up a crime
So then how do we know for sure that the device that Moxie "found" wasn’t a setup device, a fake with real vons to make Moxie look foolish. Time will tell.
Re: Re: Re: A "setup" device.
This is a possibility, but that would involve someone at the precinct knowing more about cracking phones than Celebrite, or Moxie.
That’s the sort of multi-dimensional gaming that maybe the CIA would play with a rival agency, maybe.
“they’re only sold to government agencies.”
That /MAY/ or may not be true today.
However the company’s products were long the go to for cell phone stores, and mobile device technicians. Purchasable directly from the company. Both T-Mobile and AT&T stores have them.
There are millions in private hands.
The products work great for cloning. Taking data from a damaged or broken phone and porting it to a replacement.
Selective extraction allows transfer from un-matched devices.
Not as useful today since device manufacturers have made it exceedingly easy to port between devices today. But for many many years they were used by technicians around the world.