Signal CEO cracks Cellebrite's phone-cracking tool

Moxie Marlinspike claims it is possible to modify reports created by Cellebrite tools by including "specially formatted" files on an app to be scanned by Cellebrite

Moxie Marlinspike, CEO of the encrypted messaging app Signal, claims to have hacked Israeli firm Cellebrite ' s phone-cracking tools, which law enforcement agencies around the world use to extract data from seized devices.

Marlinspike said that Cellebrite ' s surveillance tools contain a series of vulnerabilities that could enable anyone to take them over and rewrite the data collected from a device.

Cellebrite is a digital intelligence firm that creates and sells software to break into locked iOS or Android devices. The software can extract call records, messaging logs, photos and other data.

The company makes two products: UFED and Physical Analyzer. UFED creates a backup of the device files onto a Windows system, while Physical Analyzer parses the files to make them browsable for the user.

Of course, this is untrusted data and could contain exploits to target vulnerabilities in the parsing (Cellebrite) software - for which there is little protection.

Marlinspike managed to get hold of a Cellebrite UFED, complete with the hardware dongle and software (it 'fell off the back of a truck', apparently), allowing him to test his theory.

"We found that it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed."

Signal could apparently execute code in this way that modifies "not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way", such as inserting or removing email, text, contacts, photos and other data without leaving evidence.

"This could even be done at random, and would seriously call the data integrity of Cellebrite ' s reports into question."

Marlinspike said his company's app might include such code in the future to foil extraction attempts.

Marlinspike generously offered to disclose the specific vulnerabilities Signal knows about to Cellebrite, "if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future."

In a statement to Ars Technica, Cellebrite said that it was 'committed to protecting the integrity of our customers ' data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available' (Signal's revelation that one of the DLL files it found had not been updated since 2012 does call that claim into question).

Many activists, journalists, researchers, lawyers, politicians and dissidents use Signal. It is considered a privacy-friendly and secure open-source messaging app, which collects little information about users compared to competitors.

Signal saw a huge spike in its popularity earlier this year, after WhatsApp announced a new privacy policy and terms of service setting out plans to share user data with parent company Facebook and its subsidiaries.