Details on Signal Hack of Cellebrite - ThreatWire Crosspost
Added 2021-04-27 18:16:22 +0000 UTCBy Shannon Morse, ThreatWire https://www.patreon.com/threatwire
To refresh your memory, Cellebrite is the Israeli company that helps governments and police all over the world hack into confiscated mobile devices by exploiting vulnerabilities. They’ve been known to work with authoritarian regimes though recently, the company halted sales to Russia and Belarus. Cellebrite was also suspected to be the company who broke into the San Bernardino shooters phone (it was actually a company called Azimuth).
A few months ago, Cellebrite announced they could parse data from Signal with the extraction tool called the Cellebrite Physical Analyzer. Then last week, Moxie Marlinspike, the creator of Signal, published a report explaining that he uncovered vulnerabilities in Cellebrite’s software. This seems like a very mess with the best, die like the rest, moment.
Cellebrite requires a device in hand to break into it. They use the first piece of software, UFED, to create a backup of your device on their Windows machine, and the second part, the Physical Analyzer, parses files and data into a browseable format for investigations. The Physical Analyzer can display Signal data from an unlocked device.
Marlinspike stated he was just walking along and a Cellebrite package fell off a truck ahead of him, and packaged inside was all the fun products he’d need to reverse engineer it. One example given is FFmpeg DLLs from 2012 that was bundled within the Cellebrite software - these have had more than a hundred security updates since that time.
The Signal team found they could execute arbitrary code on a Cellebrite machine by including a specially formatted file on any app on a device that is plugged into the company’s machine. That file could execute code on the Cellebrite machine that modifies reports created for scanned devices, with no changes to checksums or timestamps, which means the data integrity for Cellebrite reports could be called into question. Marlinspike explained that Signal is more than willing to responsibly disclose the details of these vulnerabilities to Cellebrite if Cellebrite also does the same for all vulnerabilities they use for their physical extraction techniques and any other services they use. A video showing a demo of this exploit is included in the blog post published by Signal.
The Signal post also details two MSI installer packages included in the Cellebrite software that are digitally signed by Apple and appear to be extracted from iTunes for Windows, used to interact with iOS devices. Apple likely has not granted Cellebrite permission to use their Apple DLLs in the analyzer.
Lastly, an update is coming to Signal that will include some aesthetically pleasing and routinely updated files that don’t do anything inside of Signal nor do they interact with the Signal software, they’re just there, for no reason.
The post doesn’t include any technical details and neither Apple nor Cellebrite have responded to outlets about questions. We also don’t know any further details about the upcoming changes to Signal nor when that would take effect.
Signal Cellebrite: https://signal.org/blog/cellebrite-vulnerabilities/ https://signal.org/blog/cellebrite-and-clickbait/
https://www.zdnet.com/article/signal-rattles-sabre-and-exposes-crackable-cellebrite-underbelly/
https://www.cyberscoop.com/cellebrite-signal-moxie-marlinspike-ufed/
https://www.cellebrite.com/en/cellebrites-new-solution-for-decrypting-the-signal-app/
