Cellebre sells the software for unlocking the phones and extracting their data from Israel’s digital intelligence company. In consequence, their products are favorites in U.S. law enforcement agencies and often used by police to collect evidence from seized devices. In the past, the company has been criticized for being prepared to sell to almost any government, including repressive regimes around the world. But Cellebrite seems not to have much interest in secured its own software, despite its mission to jeopardize telephone security everywhere – if you think that the CEO of encrypted chat application Signal.
Moxie Marlinspike stated in a blog post issued on Wednesday that the software of Cellebrite has an atrocious security that can be manipulated in a number of rather astonishing ways.
“We were surprised that Cellebrite’s own software security seemed to have received very little care. Mitigation defenses are missing from industry standard exploitation and there are many exploitation opportunities available,” says Marlinspike. “The only solution that a user has to remedy is not scanning devices until Cellebrite can remedy accurately all vulnerabilities in its software with extreme confidence”.
Marlinspike said that due to security problems somebody could basically rewrite all of the information collected by Cellebrite’s tools, among many wild claims made on the blog. A unique configured file could be hypothetically slipped to any app on a targeted device to alter all the data collected by Cellebrite software.
This file could alter data “without any detectable timing changes or checksum failures” (inserting or removing text, email messages, photos, contacts, files or any of the other data). It goes on:
“Because of the numerous possibilities, the arbitrary code can simply be executed on a Cellebrite machine using any app on a device that is subsequently connected to, and scanned in, a specially formatted but otherwise harmless file. The code that can be executed is virtually without limits.”
This blog also contains a video, which shows how easy Cellebrite’s software is to be taken away with scenes from the movie Hackers:
In addition to this, the blog claims to be quite audacious: code that is apparently Apple’s intellectual property appears in software from Cellebrite, as Marlinspike said, “may present a legal risk to Cellebrite and its users.” In other words, Cellebrite could sell code to its greatest opponent.
It could have quite massive implications for Cellebrite if all these disclosures are true. If it’s really that easy for anyone to break into the software of the company and alter the data collected by the police dramatically, how sure can the law enforcement authorities be that the evidence they collect is actually correct? If its security is so poorly applied, what would be the legal consequences for cases hinged on Cellebrite’s software? Anyone involved in a software case should probably call their lawyer right now.
It is certainly a shot, if not an utterly backhanded slap, that Marlinspike has very publicly accepted these safety concerns, and did so without prior disclosure to Cellebrite, which is common industry practice. It is difficult not to see all of this as some kind of reverse to the recent claim of Cellebrite that he may break the encrypted Signal – a claim that certainly hung in the crawl of Marlinspike. To finish off, the Signal CEO ends the blog by making it really look like Cellebrite’s signal plans with a kind of malware file in the future:
The upcoming versions of Signal will regularly collect files to be stored in app storage in totally unrelated news. These files are never used in Signal and never interact with Signal software or data, but look good and software aesthetics matter… We have a number of different versions of files which we think are esthetically pleasing and are slowly passing through. These files have no other meaning.
In fact, shots fired. We have reached out for comment to Cellebrite and will update this story if we hear it again.
Wednesday 21 April 18:50 UPDATE, 6:50 p.m. A spokesman for Cellebrite has sent us the following statement in response to a request for comment:
Cellebrite allows customers in legally sanctioned investigations to protect and save lives, speed up judicial justice and preserve privacy. We have strict licensing policies which govern how customers can use our technology and do not sell to US, Israel or the global community under sanctions. Cellebrite is committed to protecting the integrity of the data of our customers and we continuously audit, update and supply the best digital intelligence solutions for our customers.