Cellebrite, an Israeli company that’s been selling smartphone unlocking devices to governments and police agencies across the world, just got humiliated.
On Wednesday, the founder of the encrypted chat app Signal announced he got his hands on a smartphone unlocking device from Cellebrite, and discovered the technology is full of exploitable software flaws.
The Cellebrite device, called the UFED, is so vulnerable the machine can be manipulated if it scans a specially-configured file on a smartphone, claims Signal’s founder Moxie Marlinspike. Hence, any evidence the UFED pulls for police investigators can be called into question.
“For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way,” Marlinspike wrote in a blog post.
The modifications can be implemented without detectable timestamp changes or failures in the digital values. “Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices,” he added.
To illustrate the flaws, Marlinspike’s blog post contains a video demonstrating an iPhone tricking Cellebrite’s UFED device to post a hacker-created message.
Interestingly, he then implies Signal itself is adding some specially formatted files to the messaging app capable of scrambling Cellebrite’s technology.
“In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage,” he wrote. “These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.”
However, Cellebrite is playing down the alleged flaws. "Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available," the company said in a statement without elaborating.
One mystery is how Signal’s founder exactly got his hands on a Cellebrite UFED device. According to Marlinspike, the device fell off a truck, which coincidentally landed right in front of him as he was taking a walk.
We’re pretty sure Marlinspike is trying to cover up his true source. In the meantime, Signal’s founder wrote he’s willing to disclose all the flaws he found in the company’s technology — but only if they do the same and reveal how Cellebrite is extracting data from locked smartphones. Back in December, Cellebrite wrote its own blog post about how the company has been helping law enforcement access data from the Signal app on confiscated smartphones.