Signal's Founder And CEO Claimed To Have Hacked Into One Popular Hacking Tool

Signal and its founder Moxie Marlinspike

To hack or to be hacked? The choice is one or the other, and that was at least what Signal's CEO had in his mind.

Moxie Marlinspike, a cryptographer, who is also the founder of the popular security-focused messenger, revealed that he found a way to exploit vulnerabilities in the software from Cellebrite, a company that specializes in digital forensics tools that have been used by authorities around the world to extract data from mobile devices.

It has been for numerous times that Cellebrite was mentioned in the news because of its products, as well as because of the criticisms the company received due to its willingness in selling its products to pretty much any government who wishes to have it.

Cellebrite's clients include some powerful countries like the U.S., as well as some repressive regimes around the world.

And this time, Marlinspike goes offensive.

In a blog post, he claimed that he found one of the company’s devices, as it falls off "a truck ahead of me."

"Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software."

Knowing this, Marlinspike seemed to be furious, and decided that he wanted to be the first to strike.

Following his claimed findings, Marlinspike went to work and found that Cellebrite has put little interest in securing its own software

"Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed."

To demonstrate the possibilities of the hack, the Signal team used the MessageBox Windows API to display the message that read: MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!

Marlinspike also found that Celcode can also modify past and future reports, which if it's true, should make Cellebrite's clients question the authenticity of the device.

And lastly, Marlinspike also found signed packages of iTunes version - possibly extracted from the Windows Installer - that could trigger a copyright violation against Cellebrite from Apple, only if the forensics company had included these packages without Apple’s permission.

"It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users," Marlinspike said.

And to put gasoline on top of the fire, Marlinspike said that Signal will responsibly disclose all vulnerabilities to the company if it could “do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.”

It should be noted that Cellebrite has made hefty claims in the past. But security researchers have claimed that it’s been easy to execute code on those extractors, and Marlinspike is one of the most prominent.

Responding to this incident, a Cellebrite representative said that the company holds regular audits of its software, but didn’t specifically comment on the hack:

"Cellebrite enables customers to protect and save lives, accelerate justice and preserve privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community. Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available."