According to Signal, a privacy-focused messaging service, Cellebrite’s forensic apps lack the sort of security safeguards one might expect from parsing software, making them vulnerable to attacks.
Data extraction and analysis services are provided by the Israel-based mobile forensics company to intelligence organisations and public safety agencies, as well as the military and business sectors. Cellebrite claims to have customers in more than 140 countries. It has been accused of assisting the FBI in gaining access to information on locked phones, even in high-profile cases, but it has also been accused of providing services to oppressive regimes.
Universal Forensic Extraction System (UFED) and Physical Analyzer, two of the company’s tech solutions, parse data from devices. Cellebrite’s software has little control over the data provided by the device’s applications, making it vulnerable to attacks.
This “untrusted” data, according to Signal, comes in a variety of formats depending on the applications that created it, and could be formatted in a way that exploits any types of parsing software vulnerabilities, such as memory corruption.
“However, we were shocked to discover that Cellebrite’s own software protection appears to have received very little attention in both UFED and Physical Analyzer. In a blog post, Moxie Marlinspike, the developer of Signal, writes that “industry-standard exploit mitigation protections are lacking, and many opportunities for exploitation are present.”
By including “a specially formatted but otherwise harmless file” in an application running on a computer that is then plugged into and scanned by Cellebrite, Signal was able to execute code on a Cellebrite system.
“The amount of code that can be executed is nearly limitless,” Marlinspike observes.
One of the potential consequences of such an attack will be sudden changes to Cellebrite reports. The attack would tamper not only with the currently produced report, but also with previous and future reports from all previously scanned devices.
Inserting or deleting addresses, emails, directories, images, messages, or any other data are examples of modifications. The tampering does not trigger “detectable timestamp shifts or checksum errors,” according to Signal. Such modifications could be made at any time, raising concerns about the data integrity of Cellebrite’s reports.
“Any app could contain such a file, and the only solution a Cellebrite user has is to not search devices until Cellebrite is able to reliably patch all vulnerabilities in its software with extremely high confidence,” Marlinspike says.
To mitigate the risk, Cellebrite could upgrade the programme to exclude high-risk applications from scanning, but even that won’t guarantee the reports’ accuracy.
Signal also released a proof-of-concept video demonstrating what happens when Cellebrite’s UFED encounters a file built to execute arbitrary code.