Secure messaging company Signal has successfully used an iPhone SE to hack Cellebrite‘s phone-cracking software. The company says that anyone could place a file on their iPhone that effectively renders useless any data extraction performed on the phone, and that it will be doing this for Signal users.
Signal says that the file could also compromise all past and future reports generated from the Cellebrite Windows app …
Signal clearly managed to get its hands on the software by some means it doesn’t wish to disclose, as it opens with a tongue-in-cheek description of how that happened.
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
The company said that the very nature of the software meant that it was likely to prove vulnerable unless Cellebrite took steps to protect it.
Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse “untrusted” data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.
Incredibly, it found Cellebrite had left its app wide open, giving the example of one DLL missing over 100 security updates! That, said Signal, made it child’s play to hack the code.
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
One obvious route to render the data extraction virtually useless would be to insert or remove data from Cellebrite’s download. In that way, it would be impossible to know what was really on the phone and what was added or removed by the hack. That data corruption could be applied to any data extracted by the software, in the past or future.
It’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Signal shows a video demo in which it caused a machine running the Cellebrite software to display an arbitrary message, but says this is merely an innocuous proof of concept.
In an epic piece of trolling, Signal says it will tell Cellebrite how it did it if the phone hacking company will in turn reveal its own secrets.
We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.
Further, Signal will ensure that future versions of its app are designed to hack PCs running Cellebrite apps if they are ever connected to them.
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.
Update: Signal how now updated the blog post with more details, and also said it will now randomly place different files on different phones, making it harder for Cellebrite to know whether it is present, and allowing variations to go undetected for longer.
Finally, Signal notes that Cellebrite appears to be using Apple iTunes DLLs, which is almost certainly a breach of copyright. The blog post is a truly fun read.
FTC: We use income earning auto affiliate links. More.