Thursday, April 22, 2021

Exploiting Vulnerabilities in Cellebrite

Moxie Marlinspike:

Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.


Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned.


Also of interest, the installer for Physical Analyzer contains two bundled MSI installer packages named AppleApplicationsSupport64.msi and AppleMobileDeviceSupport6464.msi. These two MSI packages are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes version


In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.


Update (2021-05-05): Lucas Ropek (via Hacker News):

A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking.

Update (2021-05-19): Riana Pfefferkorn (via Hacker News):

What will be the likely ramifications of Signal’s discovery in court cases? I think the impact on existing cases will be negligible, but that Signal has made an important point that may help push the mobile device forensics industry towards greater accountability for their often sloppy product security. Nevertheless, I have a raised eyebrow for Signal here too.


So while computer security folks were giggling at Signal’s cute, clever blog post, lawyers like me were sighing. Why? Because of an important life lesson that engineers typically don’t understand: Judges hate cute and clever.


You aren’t helping your cause when a reporter can’t tell which parts of your blog post are jokes and which parts are serious, or what you mean by your weird coy phrasing. This blog post was plainly written in order to impress and entertain other hackers and computer people. But other hackers aren’t the real target audience; it’s lawyers and judges and the law enforcement agencies that are Cellebrite’s customers. They tend to prefer clear communication, not jokes and references to 25-year-old cult films.


And meanwhile, the existence of Cellebrite devices has served as, I think, a safety valve to keep backdoor mandates from being imposed on smartphone manufacturers in the U.S. to date, despite the occasional effort to do so.

1 Comment RSS · Twitter

Old Unix Geek

Kind of makes me want to download Signal, but never run it, just for its aesthetics :-) .

Leave a Comment