The company that reads mobile phones for police forces worldwide is currently being laughed at in circles of tech nerds. A BBC entry claimed that Cellebrite had cracked the crypto app Signal. Meanwhile, Signal has hit back: the Cellebrite UFED, with which the Dutch police – and the Netherlands Forensic Institute (NFI) – also work, is so poorly secured that it would actually not produce reliable data.
Door @Wim van de Pol
Signal is an app that many citizens of the world use to call and text each other. The app is highly regarded in the tech community because the methodology (unlike in the case of Encro or Sky, for example) is public and transparent and the PGP coding is uncrackable.
Cellebrite is a loyal companion of police forces in many countries. The Israeli company analyzes mobile phones seized from suspects for the police. The Public Prosecution Service then uses that information in criminal files, and the judge convicts suspects (partly) on that basis.
No
It BBC report About Signal in December caused quite a stir but turned out to be a canard, and a mistake by Cellebrite (who also removed the news from their own blog, mirror).
The outspoken CEO of Signal, Moxie Marlinspike responded as if stung by a wasp: “No, Cellebrite cannot ‘break Signal encryption.” Wrote he on his blog. Besides, Cellebrite doesn’t crack anything, it just sucks information from a phone.
Moxie Marlinspike wasn’t done with Cellebrite yet. He started hacking. This week published he the shameful result for Cellebrite. The flagship slash cash cow van Cellebrite – the UFED – contains more than a hundred vulnerabilities.
Worse, when a telephone has been connected to it, no statement can be made about the reliability of what the device reports.
Truck
An ‘incredible coincidence’, Marlinspike writes:
Coincidentally, a Cellebrite bag fell off a truck the other day while I was out walking.
Surprise soon struck, at Marlinspike. Also because Cellebrite says that it produces ‘digital intelligence’ for ‘a safer world’.
Since almost all of Cellebrite’s code exists to parse untrusted input that could be unexpectedly formatted to take advantage of memory corruption or other vulnerabilities in the parsing software, you might expect Cellebrite to have been extremely careful.
But the UFED was not safe.
The software on the device has not been updated since 2012, according to Signal. That makes every Cellebrite device a total loss from a safety point of view, says Marlinspike:
We found that it is possible to run arbitrary code on a Cellebrite machine simply by inserting a specially formatted, but otherwise harmless, file into an app on a device that is then connected to Cellebrite and scanned. There are virtually no limits to the code that can be executed.
There is no old PC that is easier to hack. But it is much worse:
It is possible to run code that not only modifies the Cellebrite report created in that scan, but also all past and future generated reports that Cellebrite reports from all previously scanned devices and all future scanned devices in any way (insert or delete text, email, photos, contacts, files or other data), without detectable timestamp changes or checksum errors. This could even happen arbitrarily, and would seriously question the data integrity of Cellebrite’s reports.
And a reliable report, that’s what a court is all about – if all goes well.
Now that this is known, anyone can prepare their phone in such a way that the moment a police officer plugs in a Cellebrite cable, the UFED goes crazy, or changes or deletes information on his phone, for example. (text continues under advertisement)
Hopeless
Marlinspike implies that in security terms, the situation for Cellebrite’s UFED is hopeless.
Until Cellebrite is able to accurately fix all vulnerabilities in its software with extreme confidence, the only remedy a Cellebrite user has is to not scan devices.
Even updating with more than a hundred patches of the software is not a guarantee, Marlinspike said. So stop using Cellebrite UFED.
Marlinspike says she is willing to reveal to Cellebrite the specific vulnerabilities that Signal now knows about them, and that they may not have mapped out themselves, but under one condition:
If they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective suppliers now and in the future.
Apple-software
As a bonus, Marlinspike states that Cellebrite apparently stole Apple software for their iPhone extraction.
It seems unlikely to us that Apple licensed Cellebrite to redistribute Apple DLLs and include them in its own product, so this could pose a legal risk to Cellebrite and its users.
Apple lawyers are known for their limited ability to put things into perspective when it comes to property law.
Marlinspike makes no secret of having already hated Cellebrite anyway because they also sell their software and devices to regimes that are not so close to human rights, such as Belarus, Russia, Venezuela, China, and the military. in Myanmar.
Signal also made a video of it:
Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite’s software:
“Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective”https://t.co/DKgGejPu62 pic.twitter.com/X3ghXrgdfo
— Signal (@signalapp) April 21, 2021
–
