Israeli digital forensics firm Cellebrite has for years helped governments and police around the world break into confiscated cell phones, mostly by exploiting vulnerabilities that device manufacturers overlooked. Now Moxie Marlinspike – the idea behind the Signal messaging app – has turned the tables.
On Wednesday, Marlinspike released a post that reported vulnerabilities in Cellebrite software that allowed it to execute malicious code on a Windows computer used to analyze devices. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that could be embedded in any application installed on the device.
Practically no restrictions
“There’s almost no limit to the code that can be executed,” Marlinspike wrote.
For example, by including a specially formatted but otherwise harmless file in an application on a device that is then scanned by Cellebrite, it is possible to execute code that modifies not only the Cellebrite report created in that scan, but also all previous and future generated Cellebrite Reports from all previously scanned devices and all future scanned devices in any arbitrary manner (inserting or removing text, email, photos, contacts, files, or any other data), without variable timestamps or checksum errors. This could even be done at random and would seriously jeopardize the data integrity of Cellebrite’s reports.
Cellebrite offers two software packages: UFED breaks locks and encryption protection to collect deleted or hidden data, and a separate Physical Analyzer detects digital evidence (“trace events”).
To do their job, both parts of Cellebrite software must parse all types of unreliable data stored on the device being analyzed. Typically, software undergoes all sorts of security enhancements to detect and fix memory corruption or parsing vulnerabilities that could allow hackers to execute malicious code.
“However, looking at both UFED and Physical Analyzer, we were surprised to find that very little concern seems to be devoted to Cellebrite’s own software security,” Marlinspike wrote. “Industry standard mitigation measures are lacking and there are many opportunities for exploitation.”
One example of this lack of hardening was the inclusion of Windows DLL files for audio / video conversion software known as FFmpeg. The software was created in 2012 and has not been updated since. Marlinspike said FFmpeg has received more than 100 security updates in the past nine years. None of these updates are included in the FFmpeg software included with Cellebrite products.
Marlinspike included a video which displays UFED as it analyzes a file it has formatted to execute arbitrary code on a Windows device. The payload uses the MessageBox Windows API to display a benign message, but Marlinspike said “it is possible to execute any code, and the actual exploit payload is likely to attempt to unobtrusively modify previous reports, compromise the integrity of future reports (perhaps accidentally!), Or filter data from Cellebrite machines. “
Marlinspike said he also found two MSI installation packages that were digitally signed by Apple and appear to have been separated from the Windows installer for iTunes. Marlinspike questioned whether the inclusion constituted an infringement of Apple’s copyright. Neither Apple nor Cellebrite commented before this post was published.
Marlinspike said he procured Cellebrite gear in a “truly incredible coincidence” as he walked by and “saw a small package fall off the truck in front of me”. The incident seems to be truly amazing. Marlinspike declined to give further details on how exactly he came into possession of the Cellebrite tool.
The line that fell in the truck is not the only language statement in the post. Marlinspike also wrote:
In completely unrelated news, upcoming versions of Signal will occasionally retrieve files to store applications. These files are never used for anything within the Signal and never interact with the Signal software or data, but they look nice and aesthetics are important in the software. Files will only be returned for accounts that have been active for some time and only probably in low percentages based on phone number dropouts. We have several different versions of the files that we think are aesthetically pleasing and will be slowly reviewed over time. There is no other meaning for these files.
The vulnerabilities could provide food for veterans to challenge the integrity of forensic reports generated using Cellebrite software. Cellebrite representatives did not respond to the email with a question about whether they are aware of the vulnerabilities or plan to fix them.
“Of course we are willing to responsibly reveal to Cellebrite certain vulnerabilities we know of if they do the same for all the vulnerabilities they use in their physical allocation and other services to their suppliers, now and in the future,” Marlinspike wrote.
Post updated to add fourth and third last paragraph.