CEO of encrypted chat app Signal has allegedly broken into Israeli digital forensics firm Cellebrite. The latter offers software designed to unlock phones and extract their data.
In a case of the hunter becoming the hunted, Israeli digital forensics firm Cellebrite became the victim of a hack. Moxie Marlinspike, creator of the Signal messaging app, not only broke into the platform but also exposed its poor defenses.
Cellebrite’s forensic investigation software platform hacked:
Marlinspike published a post that reported vulnerabilities in Cellebrite software. These security loopholes allowed him to execute malicious code on the Windows computer used to analyze devices.
The CEO, researcher, and software engineer exploited the vulnerabilities by loading specially formatted files. He claims the hack allows him to insert any code into any app installed on the device.
This revelation of loopholes and vulnerabilities that can be exploited is certainly a major cause of concern not just for Cellebrite but also for its users.
Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite's software:
— Signal (@signalapp) April 21, 2021
Law enforcement agencies across the U.S., and police frequently use Cellebrite products to gather evidence from seized devices. In the past, the company has received criticism for its willingness to sell to pretty much any government. Reports claim the company offered its products to repressive regimes around the world.
Although it claims to compromise phone security everywhere, Cellebrite reportedly has poor defenses to secure its own software, claims Marlinspike.
— Ars Technica (@arstechnica) April 21, 2021
“We were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”
“Until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.”
Cellebrite software manipulation could taint or tamper evidence?
Owing to the gaping security flaws, someone could essentially re-write all of the data being collected by Cellebrite’s tools, claims Marlinspike. Hypothetically, anyone with the correct knowledge could slip in a uniquely configured file into any app on a targeted device.
What Marlinspike is suggesting is that the data gathered as forensic evidence could be manipulated or tainted by allowing for the alteration of all of the data that has been (or will be) collected by Cellebrite’s software.
— Engadget (@engadget) April 22, 2021
Such a file could alter data “in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures.” He concludes “there are virtually no limits on the code”.
As a proof of concept, the blog exposing the security vulnerabilities included a video, spliced with scenes from the movie Hackers, that shows just how easily Cellebrite’s software can be hijacked.
A few months ago Cellebrite announced that they would begin parsing data from Signal in their extraction tools. It seems they're not doing that very carefully.
Exploiting vulnerabilities in Cellebrite's software, from an app's perspective: https://t.co/9ar6ypnPe2
— Moxie Marlinspike (@moxie) April 21, 2021
Many experts are calling out Marlinspike for not making Cellebrite aware of the security flaws and allowing the company to address the issues. After all, Marlinspike has very publicly outed these security concerns.
There is, however, one apparent reason behind the Signal CEO’s such brazen acts. Cellebrite had recently claimed that it could crack Signal’s encryption.