To hack or to be hacked? The choice is one or the other, and that was at least what Signal's CEO had in his mind.
Moxie Marlinspike, a cryptographer, who is also the founder of the popular security-focused messenger, revealed that he found a way to exploit vulnerabilities in the software from Cellebrite, a company that specializes in digital forensics tools that have been used by authorities around the world to extract data from mobile devices.
It has been for numerous times that Cellebrite was mentioned in the news because of its products, as well as because of the criticisms the company received due to its willingness in selling its products to pretty much any government who wishes to have it.
Cellebrite's clients include some powerful countries like the U.S., as well as some repressive regimes around the world.
And this time, Marlinspike goes offensive.
In a blog post, he claimed that he found one of the company’s devices, as it falls off "a truck ahead of me."
Knowing this, Marlinspike seemed to be furious, and decided that he wanted to be the first to strike.
Following his claimed findings, Marlinspike went to work and found that Cellebrite has put little interest in securing its own software
Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite's software:
"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective"https://t.co/DKgGejPu62 pic.twitter.com/X3ghXrgdfo— Signal (@signalapp) April 21, 2021
To demonstrate the possibilities of the hack, the Signal team used the MessageBox Windows API to display the message that read: MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!
Marlinspike also found that Celcode can also modify past and future reports, which if it's true, should make Cellebrite's clients question the authenticity of the device.
And lastly, Marlinspike also found signed packages of iTunes version 12.9.0.167 - possibly extracted from the Windows Installer - that could trigger a copyright violation against Cellebrite from Apple, only if the forensics company had included these packages without Apple’s permission.
"It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users," Marlinspike said.
And to put gasoline on top of the fire, Marlinspike said that Signal will responsibly disclose all vulnerabilities to the company if it could “do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.”
It should be noted that Cellebrite has made hefty claims in the past. But security researchers have claimed that it’s been easy to execute code on those extractors, and Marlinspike is one of the most prominent.
Responding to this incident, a Cellebrite representative said that the company holds regular audits of its software, but didn’t specifically comment on the hack: