Leaf&Core

Smartphone Hacking Firm May Have Illegal Code, Vulnerabilities, and Make Falsifying Evidence Easy

Reading Time: 4 minutes.

Speak Freely  Say "hello" to a different messaging experience. An unexpected focus on privacy, combined with all of the features you expect. [A button reads "Get Signal"]

Screenshot from Signal.org

Cellebrite is a favorite among law enforcement and oppressive regimes all around the world. The tools help authorities hack into a person’s device to extract information. Some of these tools are also available online, on eBay, often for less than $100, so thieves can potentially make use of them as well. They’ll happily unlock phones to sell them or blackmail users based on the information in them. Oppressive regimes can use them to find evidence like a person’s religion, their sexuality, or their beliefs on civil rights. The tools are incredibly invasive, and have already hurt an unknown number of people.

According to Signal’s CEO, however, Cellebrite’s own tools are vulnerable to hacking. In fact, the tools used by police all around the world may have stolen code from Apple and feature backdoors that are easy to exploit. These backdoors make planting evidence easy and impossible to detect. In other words, any evidence found by Cellebrite’s hacking tools may be invalid. If it’s this easy to use Cellebrite’s tools to plant untraceable evidence, then it’s clear that results found by Cellebrite’s tools can’t be used in court.

Furthermore, isn’t it ironic that the tool used by security professionals may contain illegally obtained code?

Signal protects their users with truly private chats and end-to-end encryption. Now they might have protected people from wrongful searches and false imprisonment.

Hacking Cellebrite

Hacking a company that breaks security would have to be an impossibly difficult task, right?

Wrong.

Well, that’s at least according to “moxie0,” aka Moxie Marlinspike, the CEO of Signal. Marlinspike claims he got his Cellebrite kit “off the back of a truck,” and, using it, was able to find some very simple security flaws.

Cellebrite works by making a copy of the data on a device onto a host machine’s storage. Think of it like your iTunes backup. In fact, according to Marlinspike, the software Cellebrite is using actually includes possibly stolen Apple software for backing up iOS devices. Neat!

If someone places a special file on a target device, either by sending it to them via email, or storing it in app storage, the host machine, the one doing the copying using Cellebrite’s software, will execute code. This means a file on a target device can make a host machine do something. This is like an injection attack. You sneak code onto a computer, and, once it’s there, the computer is yours to do whatever you want. In this case, you could make it delete all backups stored, you could insert files and fake messages, falsifying evidence, or you could do literally anything else. You have full access to the machine. Whatever you want to do. All because someone thought it was a good idea to try to break into a device using Cellebrite’s tools.

This is an incredibly simple hack, one that we usually prevent using data sanitation. Signal’s CEO claims they’re not doing it at all.

Dangerous Implications

This has some serious implications. For example, since the executable file on a user’s device could come from anywhere, it could be possible to falsify evidence collected by Cellebrite’s tools. This could allow authorities to plant evidence on protestors, political rivals, or journalists. If someone wanted to kill a person, they could simply plant the right evidence on their device using Cellebrite’s tools and, in the right oppressive regime, they could be killed.

The tool that is made to produce evidence can falsify evidence. Law enforcement and oppressive regimes all over the world oppress citizens and invade privacy with Cellebrite’s tools. If these vulnerabilities are as bad as Marlinspike claims, Cellebrite’s putting thousands of people in danger. Frankly, courts can’t even trust data that comes from Cellebrite, but that may not be enough to stop them.

Signal’s Protection

Cellebrite claims they can access files stored on a device from Signal. This allows them to read messages sent and received on Signal. This is a big deal because Signal can’t even read users’ messages. Messages are encrypted end to end, so Signal has nothing. There’s no data to hand over to authorities if they request it. This makes Signal one of the safest apps for messaging.

However, because of the way iOS and Android work, the messages are decoded on the device using the user’s keys. Unless you do something on iOS, like restart the device or force it to lock (hold down the lock button and volume down button, for example), Celebrite can use your decrypted files to find out what’s in your Signal messages. You can delete your signal messages frequently, always keep your device locked or off, or… you could just rely on future updates from Signal.

 

“In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.”

– Moxie Marlinspike

If, for example, Signal put some random files in the app, purely for aesthetic reasons, the app could, potentially, possibly, maybe, force Cellebrite to delete anything it had copied off of a user’s phone.

Signal’s CEO says they will release all details of the hacks so Cellebrite can fix the vulnerabilities just as soon as Cellebrite reveals the vulnerabilities they use to crack into iOS and Android devices.

So, never.

We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.

-Moxie Marlinspike

I don’t know about you, but that sounds like a good reason to download Signal, at least for aesthetic reasons.

Also for the secure messaging.


Sources:

 

Exit mobile version