And I found many vulnerabilities in the Cellebrite programs that are used by intelligence agencies around the world. And at the same time, possible violations of Apple’s copyright.
ellebrite is an Israeli developer of mobile hacking software that works with intelligence agencies around the world. For example, with its help, the FBI hacked the iPhone of a terrorist, and the Chinese police used their developments during protests in Hong Kong.
Cellebrite’s flagship product is the UFED software and hardware package, which can be used to extract data from a mobile device. To analyze the received data, Cellebrite uses a second application — Physical Analyzer.
In December 2020, Cellebrite announced the hacking of the secure Signal messenger and gaining access to the messenger’s data in Physical Analyzer-but a few hours later, it removed the hacking phrases and left only “access to data”.
Representatives of the messenger in response said that Cellebrite does not hack Signal or decrypt its data. To access Signal, Cellebrite tools need to gain physical access to an unlocked smartphone. And the Physical Analyzer app only automatically takes screenshots of the app.
“This is not magic, this is very mediocre corporate software,” said Signal
And in April 2021, the Signal team itself hacked UFED and Physical Analyzer. According to representatives of the messenger, they “found a full-fledged software and hardware complex of the company that fell from a truck on the road” and studied its tools.
Experts have discovered many vulnerabilities that allow you to get full access to all Cellebrite forensic reports on your computer and edit them without being noticed.
Moreover, the vulnerability allows you to edit not only those reports that are already stored on the PC, but also to make edits in future ones.
In addition, Signal found out that the company illegally uses Apple libraries. And also jokingly announced the protection of messenger users from Cellebrite tools in the near future.
Cellebrite simply automates the routine of investigators
Signal described how the Cellebrite tools work. To use Cellebrite, you need to gain physical access to the device and unlock it — the tools do not intercept data and cannot monitor the user remotely. Both UFED and Physical Analyzer are written under Windows.
UFED creates a backup copy of the device-it is similar to iTunes or the adb backup command for Android with some additional features.
Physical Analyzer (PA) analyzes the data from the backup and shows it in a readable form. When Cellebrite announced support for Signal, it means that they added support for the file formats that Signal uses to PA, according to the messenger developers.
The Cellebrite vulnerabilities allow you to gain full access to the criminologist’s computer — rewrite reports and download data
Signal developers were struck by the number of vulnerabilities in Cellebrite — according to them, the software does not have standard industry-standard means of protection against exploits.
One example is their application uses FFmpeg libraries released in 2012, although more than a hundred security updates have been released for them since then.
The tools extract “unreliable” data from the smartphone, which is controlled and generated by applications. Signal claims that for this reason, Cellebrite has virtually no restrictions on the code that can be executed during file analysis. The data extracted from the device is generated by its applications — Cellebrite does not understand which data is “correct” and which is not.
Therefore, knowing what vulnerabilities there are in the Cellebrite software, you can “slip” anything to the analyzer. For example, an exploit that will gain full access to the computer of a criminologist and will imperceptibly rewrite the information received in favor of the owner of the smartphone.
To execute arbitrary code on a computer, a single file in any application that scans Cellebrite is enough.
Signal showed an example of an exploit for UFED that executes arbitrary code while scanning a device. To demonstrate the hack, it uses the classic Windows MessageBox API to display a message box — but attackers can inject any other code.
This can be done even by accident, which will seriously call into question the adequacy of the data in the Cellebrite reports. And until the developers of Cellebrite fix all the vulnerabilities in their software, users of its tools have only one option — not to scan the devices at all.
Signal offers to disclose the specific vulnerabilities found if Cellebrite publishes information about other problems in its software and will publish it in the future.
Physical Analyzer may violate Apple’s copyright — it uses iTunes libraries to analyze devices
The Signal team also studied the Physical Analyzer installer. She found that inside it there are packages with Apple’s digital signature that were extracted from the iTunes installer for Windows. They contain DLLs that implement the functions that iTunes uses to interact with iOS devices.
Cellebrite uses the iTunes libraries to extract data from iOS devices. “It seems unlikely that Apple has given a license to distribute and use its libraries in Cellebrite products,” the developers of Signal note.
In their opinion, Apple can sue both Cellebrite itself and the users of its services.
Signal has hinted at protecting its users from Cellebrite tools
At the end of the post, Signal announced “news completely unrelated to the previous paragraphs” that certain files will periodically appear in new versions of the messenger. Signal will not use them, but “there are a lot of them and they look beautiful”.
“Beautiful files” will be added for a small number of active users and will be updated periodically. “They are just aesthetic, they have no other meaning,” they say in Signal.