After cellphone hacking company Cellebrite said it had found a way to access the Signal secure messaging app, Signal said in a blog post that he reversed the situation. App creator Moxie Marlinspike claimed his team obtained the Cellebrite hack kit and discovered several vulnerabilities. He then hinted that Signal will update the app to prevent any attempts by law enforcement to hack it.
Cellebrite sells a suite of “data analysis devices” called UFED that allows law enforcement to break into iOS or Android phones and extract email logs, call records, photos. and other data. The application was the most famous used by the FBI to unlock iphone of the San Bernardino shooter in 2016-2017, would have paid up to $ 900,000 for the tools.
Marlinspike managed to get a Cellebrite UFED, along with the software and the hardware dongle, joking that it fell from a truck while on a ride. (Older versions of devices have appeared on eBay and other sites in the past.)
He noted that he was using old and outdated DLLs, including a 2012 version of the FFmpeg and MSI Windows installer packages for Apple’s iTunes program. “Looking at both UFED and Physical Analyzer, however, we were surprised to find that very little care appears to have been given to Cellebrite. clean software security, ”he wrote.
The Signal team found that by including “specially formatted but otherwise harmless files in any application on a device” that Cellebrite analyzed, they could execute code that alters the UFED report. For example, it could potentially insert or delete text, emails, photos, contacts and other data without leaving any trace of tampering.
In a tweet (above), Signal demonstrated the hack in action, with UFED parsing a formatted file to execute code and display a benign message. However, the company said “a true operating payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports, or exfiltrate data from the Cellebrite machine.” Marlinspike then hinted that he could install such code in Signal to thwart future attempts by law enforcement to extract Cellebrite.
Signal released details of Cellebrite’s alleged vulnerabilities without notifying the company, but said it would change tactics if Cellebrite returned the favor. “We are of course willing to responsibly disclose the specific vulnerabilities of which we are aware to Cellebrite if they do the same for any vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.”
Cellebrite said Ars Technica that it “is committed to protecting the integrity of our customers’ data, and we continually audit and update our software to equip our customers with the best digital intelligence solutions available.” Signal’s claims should be treated with some skepticism without seeing more details about the hack, as well as confirmation by other security experts.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through any of these links, we may earn an affiliate commission.