For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into seized cell phones, mostly by exploiting vulnerabilities overlooked by device manufacturers. Now Moxie Marlinspike, creator of the Signal messaging app, has turned the tables for Cellebrite.
On Wednesday, Marlinspike published a report reporting vulnerabilities in Cellebrite software that could allow him to run malicious code on the Windows computer used to analyze devices. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded in any app installed on the device.
Virtually no limits
“There are virtually no limits to the code that can be run,” Marlinspike wrote.
For example, by including a specially formatted but otherwise harmless file into an app on a device that is then scanned by Cellebrite, it is possible to run code that not only changes the Cellebrite report created in that scan, but also all past and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any way (insert or delete text, email, photos, contacts, files, or other data), with no discernible timestamp changes or checksum errors. This could even happen randomly and would seriously question the data integrity of Cellebrite’s reports.
Cellebrite offers two software packages: the UFED breaks through locks and encryption protections to collect deleted or hidden data, and a separate Physical Analyzer reveals digital evidence (“trace events”).
To do their job, both Cellebrite software have to parse all kinds of untrusted data stored on the device being analyzed. Typically, software this promiscuous undergoes all sorts of security to detect and fix any memory corruption or parsing vulnerabilities that could allow hackers to execute malicious code.
“But looking at both the UFED and the Physical Analyzer, we were surprised to find that little attention seems to have been paid to Cellebrite’s proprietary software security,” Marlinspike wrote. “Industrial standards for mitigating exploits are lacking, and there are many opportunities for exploitation.”
An example of this lack of hardening was the inclusion of Windows DLL files for audio/video conversion software known as FFmpeg. The software was built in 2012 and has not been updated since. Marlinspike said FFmpeg has received more than 100 security updates in the intervening nine years. None of these solutions are included in the FFmpeg software included with the Cellebrite products.
Marlinspike including a video that shows UFED as it parses a file it has formatted to run arbitrary code on the Windows device. The payload uses the MessageBox Windows API to display a benign message, but Marlinspike said that “it is possible to run any code, and a real exploit payload would probably try to undetectably alter previous reports, compromise the integrity of compromise future reports (perhaps randomly! ), or pull data from the Cellebrite machine.”
Marlinspike said he also found two MSI installer packages digitally signed by Apple that appear to have been extracted from the Windows installer for iTunes. Marlinspike questioned whether the recording infringed Apple’s copyrights. Apple did not immediately comment on this.
In an email, a Cellebrite representative wrote: “Cellebrite is committed to protecting the integrity of our customers’ data, and we continuously monitor and update our software to equip our customers with the best digital intelligence solutions available. .” The rep did not say whether the company’s engineers were aware of the vulnerabilities that Marlinspike had described or whether the company had permission to bundle Apple software.
Marlinspike said he got the Cellebrite gear in a “truly unbelievable coincidence” as he was walking and saw “a small package fall off a truck in front of me.” The incident seems really unbelievable. Marlinspike declined to provide additional details about exactly how he came into possession of the Cellebrite tools.
The line of a truck wasn’t the only ironic statement in the post. Marlinspike also wrote:
In completely unrelated news, upcoming versions of Signal will periodically fetch files to put in app storage. These files are never used for anything within Signal and never interact with Signal software or data, but they look good and aesthetics are important in software. Files are only returned for accounts that have been actively installed for a while, and probably only in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will slowly progress over time. There is no other meaning to these files.
The vulnerabilities could provide fodder for lawyers to challenge the integrity of forensic reports generated using the Cellebrite software. Cellebrite representatives did not respond to an email asking if they were aware of the vulnerabilities or had plans to fix them.
“We are, of course, willing to responsibly disclose the specific vulnerabilities we know of to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors now and in the future,” he wrote. Marlin spike.
Updated post to add fourth and penultimate paragraphs and to add comments from Cellebrite.
Listing image by Reid Rosenberg / Flickr