Israeli digital intelligence Festivals Cellebrite sells software to unlock phones and extract their data. As a result, its products are a favorite of US law enforcement and the police use them often Gathering evidence from confiscated equipment. In the past, the company has been criticized for its willingness to sell to almost any government – either repressive regimes around the world. Despite its mission to compromise phone security everywhere, Cellebrite seems to have little interest in securing its own software – if you believe the CEO of the encrypted chat app Signal.
in the a blog post Moxie Marlinspike, released on Wednesday, claimed that Cellebrite’s software had a cruel security that could be easily tampered with in a number of pretty amazing ways.
“We were surprised that Cellebrite’s own software security seemed to have received very little attention. There are no industry defenses against exploits and there are many opportunities for exploitation, ”Marlinspike writes. “Until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high levels of security, the only remedy a Cellebrite user has is not to scan any devices.”
Among many wild allegations on the blog, Marlinspike says that due to security vulnerabilities, someone could basically rewrite all of the data collected by Cellebrite’s tools. Hypothetically, a uniquely configured file could be moved to any app on a target device so that any existing data could be changed or will be Collected by Cellebrites Software.
Such a file could “modify data in any way (insert or remove text, email, photos, contacts, files, or other data) with no apparent timestamp changes or checksum errors,” the blog said. It goes on:
“Given the number of options available, we’ve found that it is possible to run arbitrary code on a Cellebrite computer by simply inserting a specially formatted but otherwise harmless file into each app on a device that is then plugged into Cellebrite and is scanned. There are virtually no limits to the code that can be executed. “
The blog even has a video spliced with scenes from the movie hackerwhich shows how easily the Cellebrite software can be hijacked:
Additionally, the blog makes another rather bold claim: code that appears to be Apple’s intellectual property appears in Cellebrite’s software – something Marlinspike says “could pose a legal risk to Cellebrite and its users.” In other words, Cellebrite may be selling code that is one of its biggest opponents.
If all of this is true, it could have a pretty massive impact on Cellebrite. If we can assume that it is really that easy for someone to break into the company’s software and drastically change the data collected by the police, how sure can law enforcement be that the evidence they have collected is actually correct? What would be the legal ramifications for cases that depend on Cellebrite’s software if their security is really that poor? Anyone involved in a case involving this software should probably call their attorney right away.
The fact that Marlinspike has been very public with these safety concerns – and without prior disclosure to Cellebrite, as is the industry standard – could definitely be seen as a slap, if not a full backhand slap, in the face. It is hard not to read all of this as sort of a response to Cellebrite’s recent claims that this is the case can crack Signal’s encryption– Certainly an assertion made in Marlinspike’s creep. To top it off, the Signal CEO actually ends the blog by making it sound like Signal is planning to spam Cellebrite with some type of malware-related files in the future:
In completely independent messages, upcoming versions of Signal will periodically fetch files for storage in the app. These files are never used for anything in Signal, and never interact with Signal software or data, but they look good, and aesthetics are important in software … we have a few different versions of files that we think are aesthetically pleasing that iterate will slow through this over time. These files have no other meaning.
In fact, shots were fired. We have reached out to Cellebrite for a comment and will update this story as we hear from you.
UPDATE, 6:50 p.m., Wednesday April 21: In response to a request for comment, a Cellebrite spokesperson sent us the following statement:
With Cellebrite, customers can save and save lives, speed justice, and protect privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers can use our technology and not sell it to countries sanctioned by the US, Israel, or the wider international community. Cellebrite is committed to protecting the integrity of our customers’ data and we continuously review and update our software to provide our customers with the best digital intelligence solutions available.