About a year ago Cellebrite started rolling-out their latest-greatest hack. They were able to analyze Signal messaging app data for forensics purposes despite its build-in encryption. Now, Moxie Marlinspike—creator of the Signal— published a post pointing exploited vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze devices. In short, one is able to alter Cellebrite forensic reports, potentially making those future reports not accurate or inadmissible in a court of law.
Cellebrite technology approach is often associated with bypassing security, it essentially creates a backup of the device via frontend to adb backup on Android and iTunes backup on iPhone. Software then parses the files from the backup and then generates forensic report. In our previous post, Cellebrite announced that they added Signal support they basically included support to parse Signal data while working around Signal encryption.
Hack The Planet
It appears Cellebrite gave very little care to their own product security as “industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present” published Signal in their blog post. One can create a specially formatted file in an app on a device that is then scanned by Cellebrite.
From this moment onward it’s possible to execute code that modifies not just the forensics report being created in that scan, but also all previous and future generated reports from all previously scanned devices and all future scanned devices!
Cellebrite’s technology is designed to help in digital investigations, as well as to recover data when a physical device is present on-site. While Cellebrite technology is in fact a collection of exploits (collected one way or another) attached to data parser the majority of these tools are built to allow easy extraction of information from various devices. Cellebrite official policy is to sell their equipment to specialized providers. But like any other item these days Universal Forensic Extraction Device (UFED) (including software, cables and case) can be purchased on-line mostly from those leaving the industry. Through reverse-engineering of one of these Cellebrite devices Marlinspike claims he found more than 100 security vulnerabilities.
This is very bad news, as Cellebrite announced that they have entered into a definitive business combination agreement and plan of merger with TWC Tech Holdings II Corporation. In the same time their signature product may no longer be “admissible” in the court of law.
As we promised we will continue to follow this story.