Turnabout: It looks like phone-cracking company Cellebrite had its own vulnerabilities exposed
“Snoop onto them… as they’d snoop onto us.”
Moxie Marlinspike, founder of the encrypted messaging app Signal, revealed on Wednesday what he said were vulnerabilities in software that the company Cellebrite uses to break into encrypted phones. To accompany a blog post on what Marlinspike and his team of researchers learned, Signal produced a demonstration video featuring the above line of dialogue from the movie “Hackers.”
In a blog post evidently dripping with sarcasm, Marlinspike detailed how he obtained the latest version of the company’s software, named UFED and Physical Analyzer, when he saw a small package fall off the back of a truck, prompting some digital probing.
The vulnerabilities would amount to an ironic turn for Cellebrite, which makes its money hacking into smartphones. Its customer base includes the U.S. government and some authoritarian regimes, although the Israeli company recently announced it would stop doing business with Russia or Belarus.
Until recently, the company was widely suspected to have cracked the iOS encryption on an iPhone belonging to a mass shooter, a case that served as a flashpoint in the debate over whether U.S. law enforcement should have access to protected messages.
“Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious,” he wrote.
“Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” Marlinspike wrote (emphasis his). “Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”
It’s unclear how others might make use of what Signal uncovered, but the blog post alluded to reports that Cellebrite has hoarded software vulnerabilities instead of disclosing them to vendors. Marlinspike is a hacker, cryptographer, encryption evangelist and a self-described former anarchist accustomed to confrontation. The blog post was no exception.
“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” the post reads.
A Cellebrite announcement about Signal appeared to invoke Marlinspike’s ire.
Marlinspike also suggested that researchers had found evidence of Cellebrite violating an Apple copyright: installer packages digitally signed by Apple.
A spokesperson for Cellebrite said its policies limit both the customers it sells to and prevent the abuse of it products, and defended its internal security practices.
“Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available,” the spokesperson said.
Neither Signal or Marlinspike responded to messages seeking comment about how he obtained the software or additional information about a planned Signal update Marlinspike mentioned at the bottom of the blog post.
Apple also did not respond to a request for comment.