Signal, the messaging app turned the tables for the cellphone hacking company Cellebrite. Moxie Marlinspike, the creator of Signal said that they found Cellebrite’s hacking kit and also discovered several vulnerabilities. He then said that they will update the app to stymie any law enforcement attempts to hack it.
What is Cellebrite ?
Cellebrite is an organization, Israel based. It is a digital forensic company that provides tools for collection, analysis and management of digital files.
“Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” Marlinspike wrote. “Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”
Marlinspike said about Cellebrite
He said that the DLLs were very old and outdated. It included a 2012 version of FFmpeg and MSI Windows installer packages for Apple’s iTunes program. “Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” he wrote.
Signal’s team found that by including “specially formatted but otherwise innocuous files in any app on a device” scanned by Cellebrite, it could run code that modifies the UFED report.
What does the Hacking System do ?
Th Cellebrite hacking system might insert malicious texts or remove important messages. It can do the same with email, photos, contacts and other data while leaving no clue of them playing with those.
In this tweet they demonstrated in a fun way how Cellebrite hacks. The company said that “a real exploit payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports, or exfiltrate data from the Cellebrite machine.”
A Cellebrite representative wrote an email stating, “Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available.” The representative state anything saying that if the company engineers knew about the vulnerabilities that Marlinspike found.
It would make such updates for Signal which would not let Cellebrite compromise into the servers of Signal, the messaging app
Marlinspike said
Marlinspike said in a mocking manner that he found the Cellebrite gear in a “truly unbelievable coincidence” as he was walking and “saw a small package fall off a truck ahead of me.” It is a shocking incident.
Marlinspike denied to provide us with additional information about how exactly the Cellebrite tools came into his possession.
I am impressed with this web site, rattling I am a fan.