Signal’s Cellebrite hack: sending an ultimatum to spy software
It appeared out of thin air, says Signal founder and white hat hacker Moxie Marlinspike in a blog post for his messenger Signal (Google Android and Apple iOS). He’s referring to an analysis kit made by software manufacturer Cellebrite which has caused quite a stir. Moxie and his team dived deep and analysed the software.
In the process, they’ve identified major security gaps. Now Signal is threatening to actively exploit these loopholes.
Spy software for law enforcement
Cellebrite is a software company from Israel headquartered in Petah Tikva. The company, founded in 1999 by Avi Yablonka, Yaron Baratz and Yuval Aflalo, specialises in mobile device monitoring. Their software packages «Physical Analyzer» and «UFED» are used by police forces and governments around the world. This software isn’t available publicly, at least theoretically, and its exact functionality isn’t explained anywhere.
Physical Analyzer and UFED are used to extract data from smartphones and search them.
For that to happen, Moxie Marlinspike continues, a Cellebrite user must physically hold the target’s smartphone. Accessing data via the Internet or wireless networks using Cellebrite products is impossible.
Cellebrite’s products are associated with governments that aren’t big on human rights. «Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere,» Moxie writes.
A few months ago, the Israeli company also announced that Signal would be supported by Cellebrite. Moxie quickly assured users that there was no chance of Cellebrite breaking their encryption signals. The feature simply described the «open app, view messages» process, which was automated by Cellebrite and required an unlocked smartphone.
Hacking Cellebrite: a small glossary
In order for you to understand what exactly Moxie Marlinspike did, and why no legal system can or should in good conscience use Cellebrite’s software for evidence, you need to understand some terms and concepts.
UFED is a Cellebrite program. It claims to be able to «legally» bypass the PIN, patterns and passwords of locked smartphones. Several data collection mechanisms are designed to contextualise the «legitimately» extracted data and piece together even more out of what is discovered. To this end, UFED should be able to «legitimately» access up to 40 apps. In its basic use, you can think of it as backup software. What Cellebrite really wants you to know: everything they do is legal.
UFED comes pre-installed on a Panasonic ruggedized laptop upon request. This is done to enable data tapping on the move.
Physical Analyzer is another Cellebrite program. It decodes the data extracted by UFED and presents it visually. Moxie describes it as a «frontend to adb backup», i.e. a nicely presented representation of a backup. The physical analyzer must be able to read the data from your smartphone, i.e. it must have read access. Write Access isn’t mandatory, but still included.
Physical Analyzer is delivered preinstalled on a workstation specially optimised for the program on request. This should speed up the processing of data cracked by UFED.
UFED and Physical Analyzer often come as a package. It is rare for a government or regime to order UFED without Physical Analyzer and vice versa. You can think of it sort of like the Microsoft Office suite of spy software.
ffmpeg is open-source software. Since its inception in 2000, ffmpeg has been further developed and used in tens of projects by other software vendors. ffmpeg can convert videos, trim them, change the sound and much more.
In information security circles, ffmpeg is known for openly communicating many vulnerabilities and fixing them in a timely manner. The fact that there are many vulnerabilities doesn’t mean that the software is inherently unsafe. Not necessarily. It can also speak for the fact that the ffmpeg team works actively and transparently.
As the MITRE vulnerability list shows, there are 355 vulnerabilities publicly known to date. They should all be patched, at least in theory. The rule of thumb is: if you use ffmpeg, keep the software up to date.
Arbitrary Code Execution
Arbitrary code execution, sometimes called arbitrary code injection, is a technique used by hackers. By exploiting a vulnerability, a hacker can make a program execute arbitrary code. The code can do anything from displaying an error message to collecting passwords and credit card information.
This arbitrary code is also called «specific code». It is formatted, to use the technical term, in an «unexpected way». This means that the vulnerable software receives input that it cannot handle and reacts unexpectedly. Let me give you an example: by typing code into a search box, you can provoke an error message.
Trusted, or untrusted, sources describe a concept in software communication. When software A talks to software B, there must be a relationship of trust. In principle, the programs agree that «Yes, I trust you won’t do anything naughty with my data».
It is possible for software A to give its data to a program it doesn’t trust. These are what we refer to as «untrusted sources».
The concept of trusted/untrusted sources is predominantly used in the context of smartphones. When you install an app from the App Store, it comes from a trusted source. If you sideload it, i.e. install it manually or via a third-party store, then the source isn’t trustworthy.
Software usually prevents communication with untrusted sources unless the user explicitly allows communication.
The flaws in Cellebrite’s software
Moxie’s research found a variety of vulnerabilities. There are two reasons for this:
- Cellebrite doesn’t seem to care much about the security of its own software.
- Cellebrite’s software is classified as «untrusted» by all devices and programs. This is because even on a basic level, UFED and Physical Analyzer must function as «untrusted». No smartphone manufacturer will provide for the functionality of Cellebrite products, as unauthorised backups and decryption aren’t built into Apple’s iOS or Google’s Android by the creator.
«[…] almost all of Cellebrite’s code exists to parse untrusted input […],» Moxie writes.
The very fact that the software is classified as untrustworthy could break Cellebrite’s neck on a legal level. Because if the method of data extraction is «untrusted», then the results cannot be trusted either. And in the context of sound evidence, its integrity is of paramount importance.
Such software would have to be kept up to date at all times if it were to strive for the greatest possible data integrity. But Moxie has discovered ffmpeg components from around 2012 in the code. This has already opened the door to all sorts of shenanigans with Cellebrite’s data output.
Cellebrite, proudly stealing from Apple
In addition, Team Signal has discovered files named AppleApplicationsSupport64.msi and AppleMobileDeviceSupport6464.msi included in the Cellebrite suite. Something the Israeli company must have yoinked from the 2018 version 188.8.131.52 Windows iTunes installer.
Cellebrite is NOT allowed to do this.
Apple certifies its data and the people who are allowed to handle said data, as well as establishing in what context this may occur. Following Apple’s general position regarding data protection, we can assume one thing: Cellebrite has used these files without permission. As Cellebrite’s website often likes to remind you, «legitimacy» is paramount.
This could have consequences should Apple take legal action against Cellebrite.
Moxie wrecking Cellebrite
Moxie has found at least one vulnerability classified as arbitrary code execution. If a hacker discovers such a vulnerability, then a variety of options are open to them.
Moxie has managed to automate this process in the context of Cellebrite’s software. When Physical Analyzer and UFED are confronted with a file containing arbitrary code, Cellebrite’s software simply interprets this code. This file can be included in any app.
It gets worse: Moxie can manipulate all Cellebrite software reports with one file. And not just the report to which the file belongs, but all previous and future reports as well. All this without triggering any integrity check irregularities. What this means: Moxie has found a way to write data in UFED and Physical Analyzer. This completely destroys how the software works.
In a video, Moxie shows how he can produce an error message from Cellebrite as part of a normal scan in order to display a quote from the movie «Hackers.»
Moxie’s conclusion: If Cellebrite users want to rely on the results of their scans, then they should certainly avoid Cellebrite itself.
Signal wants to help Cellebrite
Moxie Marlinspike and Signal see themselves as white hat hackers, bringing with it great responsibility. They want to help manufacturers repair and improve their software. Even if it’s software that leads to suffering and death.
But Signal has tied their assistance to one condition: «We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.»
Furthermore, and in «completely unrelated news», Moxie has announced that Signal will soon be embellished with aesthetic files. These files aren’t intended to interact with Signal’s functionality or anything else and are only meant to beautify the app. Signal has even announced the distribution of multiple, fundamentally different files into random app installs. But they’re all pretty, Moxie assures us. «[…] aesthetics are important in software,» he writes. If you haven’t got it yet, there’s a suspicion that Signal will soon have the files necessary to hack Cellebrite preinstalled.
Senior Editor, Zurich