After the cellphone hacking company Cellebrite said it had figured out a way to access the secure messaging app Signal, Signal said in a blog post that it has turned the tables. The app's creator Moxie Marlinspike claimed that his team obtained Cellebrite's hacking kit and discovered several vulnerabilities. He then implied that Signal will update the app to stymie any law enforcement attempts to hack it.
Cellebrite sells a suite of "data analysis devices" called UFED that allows law enforcement to break into iOS or Android phones and extract messaging logs, call records, photos and other data. The suite of hacking tools has reportedly been used used by the FBI to unlock iPhones in the past.
Marlinspike managed to obtain a Cellebrite UFED, complete with the software and hardware dongle, joking that it fell off a truck while he was out for a walk. (Older versions of the devices have popped up on eBay and other sites in the past.)
He noted that it used some old and out-of-date DLLs, including a 2012 version of FFmpeg and MSI Windows installer packages for Apple's iTunes program. "Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security," he wrote.
Signal's team found that by including "specially formatted but otherwise innocuous files in any app on a device" scanned by Cellebrite, it could run code that modifies the UFED report. For instance, it could potentially insert or remove text, email, photos, contacts and other data while leaving no trace of the tampering.
Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite's software:— Signal (@signalapp) April 21, 2021
"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective"https://t.co/DKgGejPu62 pic.twitter.com/X3ghXrgdfo
In a tweet (above), Signal demonstrated the hack in action, with the UFED parsing a file formatted to run code and display a benign message. However, the company said that "a real exploit payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports, or exfiltrate data from the Cellebrite machine." Marlinspike then implied that it might install such code within Signal to foil future Cellebrite extraction attempts by law enforcement.
Signal released details about the supposed Cellebrite vulnerabilities without giving the company any warning, but said it would change tack if Cellebrite reciprocated. "We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future."
Cellebrite told Ars Technica that it "is is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available." Signal's claims should be treated with some skepticism without seeing more details around the hack, along with confirmation by other security experts.
Update 4/22/2021 7:23 AM ET: A reference to Cellebrite's tools being used to unlock the San Bernardino killer's iPhone has been removed, as it was reportedly another firm that did the work.