Signal app’s Moxie says it’s possible to sabotage Cellebrite’s phone-probing tools with booby-trapped file

Updated It is possible to hijack and manipulate Cellebrite’s phone-probing software tools by placing a specially crafted file on your handset, it is claimed.

Signal app supremo Moxie Marlinspike said in an advisory on Wednesday that he managed to get his hands on some of Cellebrite’s gear, which is typically used by cops, government agents, big biz, and authoritarian regimes to forcibly access the contents of physically seized smartphones.

Police officers in the US

Thought the FBI were the only ones able to unlock encrypted phones? Pretty much every US cop can get the job done

READ MORE

Once a device is unlocked by Cellebrite’s UFED software, its files and applications can be examined using a Cellebrite program called Physical Analyzer running on a Windows PC.

Marlinspike claims this software collection does a poor job of protecting itself when parsing malicious data extracted from handsets, to the point where it’s possible for an innocent-looking file to inject and execute arbitrary code on the host PC.

That code can then modify the analyzer’s operation, manipulate forensics reports, and so on. Essentially, you can turn the tables on whoever’s probing the phone and hamper their investigation. Here’s how Marlinspike put it:

Proof-of-concept exploits have been developed for UFED and Physical Analyzer to prove this, we’re told. Signal’s creator went on to say he’ll disclose the holes he’s found when Cellebrite discloses the vulnerabilities it exploits to forcibly unlock confiscated handhelds.

In a video, he demonstrated an arbitrary-code-execution exploit against what appears to be version 7.40.0.229 of UFED; the latest version, we note, is 7.44, which was released early this month. The Register understands these proof-of-concept exploits work against the latest builds of Cellebrite’s tools.

The main problem, according to Marlinspike, is that Cellebrite’s suite includes software libraries – such as FFmpeg DLLs – that haven’t been updated in years to patch known exploitable bugs, “industry-standard exploit mitigation defenses are missing,” and “many opportunities for exploitation are present.”

Finally, and seemingly as a result of all this, Marlinspike strongly hinted that future versions of Signal may include files that mess up Cellebrite’s software:

This all comes after Cellebrite announced it had updated Physical Analyzer to parse the file formats used by Signal on unlocked devices. A spokesperson for Israel-headquartered Cellebrite was not available for immediate comment on Marlinspike’s findings. ®

Updated to add

A spokeswoman for Cellebrite declined to comment specifically on Marlinspike’s discoveries, and instead insisted the biz keeps its software patched:

On the subject of who uses the software, she added: “We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community.”

PS: If you want to know more about the insides of Cellebrite’s software, KoreLogic has a write-up here from last year.

READ MORE HERE