Signal Founder Says Cellebrite's Forensics Tools FlawedFlaws Described by Moxie Marlinspike Raise Questions About Extracted Data's Trustworthiness
Law enforcement agencies use digital forensics tools from the Israeli company Cellebrite to gain access to locked mobile devices and extract data for evidence. But in a shot across the bow to the vendor's business model, Moxie Marlinspike (@moxie), creator of the encrypted messaging app Signal, says flaws in Cellebrite's devices call into question whether the data the tools extract can be considered reliable.
Marlinspike threw down the gauntlet Wednesday in a blog post in which he contends that software flaws could corrupt data collected by the Universal Forensic Extraction Device (UFED) and Physical Analyzer, two of Cellebrite's tools.
"I absolutely hope that defense attorneys are paying attention to this because these are real issues, they could be exploited and if they are, someone who is potentially innocent could end up in jail."
"We found that it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned," Marlinspike writes. "There are virtually no limits on the code that can be executed."
Marlinspike's salvo marks an interesting direct attack launched by an organization, Signal, which fights to keep data private, against Cellebrite, whose business is breaking down those defenses. And it comes as governments around the world are increasing pressure on companies that use hard-to-break encryption in their products.
The findings raise questions as to whether defendants could raise objections to digital evidence collected by Cellebrite tools on grounds of possibly tampered data. Given that it's near impossible to eliminate all flaws in any software, it's debatable whether courts would view such claims favorably.
Cellebrite states that it ensures "that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound."
There's a palpable tension in Marlispike's blog post. It comes after Cellebrite's announcement on Dec. 1, 2020, that it could now parse and extract Signal content with its Physical Analyzer.
But Marlinspike's beef with Cellebrite isn't just that it aims to crack phones and obtain access to their Signal communications. In his blog post, Marlinspike also calls out the vendor for providing software to countries with problematic human rights records, including nations that target activists and journalists.
In response, Cellebrite says research such as Signal's is the cornerstone of ensuring the validity of its software and ensures that "lawfully obtained digital evidence is utilized to pursue justice."
Cellebrite's Large Attack Surface
To demonstrate the effects of one undescribed vulnerability, Marlinspike published a proof-of-concept video showing how a file planted on a mobile device is then processed and executed by UFED while collecting data. In the demonstration, the effect is harmless. It's a payload that causes the MessageBox Windows API to show a dialog box that read: "MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!" which is a quote from the 1995 film "Hackers."
Marlinspike alleges that Cellebrite's UFED and Physical Analyzer software lack security features that are common today, such as exploit mitigation defenses. He gave an example of one vulnerability in the products, which is an outdated bundle for the FFmpeg multimedia framework, which dates to 2012.
Patrick Wardle, an Apple security expert who runs the Objective-See Mac security tool site, says that applications such as Cellebrite are ripe for attack since they ingest large amounts of untrusted data.
"Any time you are parsing file formats, there are huge attack surfaces," Wardle says.
Defenses Against Cellebrite
Marlinspike and the Signal team are not the first to look for flaws in Cellebrite. For two years, Matt Bergin, a senior information security researcher with KoreLogic, a U.S.-based security consultancy, has been reverse-engineering Cellebrite's tools, finding vulnerabilities and weaknesses.
Bergin is due to present his latest findings on Cellebrite's tools next month at Black Hat Asia. He will unveil an Android app he developed that wipes data from a device when it detects a Cellebrite imaging attempt.
Bergin says he's pleased that other researchers such as Marlinspike are examining Cellebrite's tools. "I absolutely hope that defense attorneys are paying attention to this because these are real issues, they could be exploited and if they are, someone who is potentially innocent could end up in jail," he says.
Reliable Evidence or Reasonable Doubt?
Marlinspike offers a tongue-in-cheek deal to Cellebrite if it wants to obtain details of the vulnerabilities the Signal team found in its products.
"We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future," he writes.
Cellebrite's products use exploits to gain initial access to mobile devices, which has to occur before data can be extracted. Those exploits work until someone reports them to either Apple or Google, which will then patch iOS or Android. Marlinspike's challenge is likely to be ignored, because Cellebrite's business model is predicated on an ability to break into passcode-protected devices.
Meanwhile, Marlinspike notes that - in a completely unrelated move, wink-wink - upcoming versions of Signal will fetch files and put them in the app's storage. Cheekily, he suggests that "there is no other significance" to these files than to look nice, and that the files do not interact with the software or data.
"Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding," Marlinspike writes. "We have a few different versions of files that we think are aesthetically pleasing and will iterate through those slowly over time."
Whether Signal might use those files to disrupt or corrupt Cellebrite's data-capturing capabilities remains an open question. But it's a question that might provide defense teams with ammunition to challenge in court evidence seized using Cellebrite.
Copyright and Licensing Questions
In a parting shot, Marlinspike in his blog post points out that Cellebrite's iOS Advanced Logical tool and its Physical Analyzer use dynamic link libraries written by Apple, potentially violating Apple's copyright and licensing rights.
"It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users," Marlinspike writes.
Wardle says that point could be the more immediate problem, given Apple's robust defense of its intellectual property. "If your aim is to create a problem for Cellebrite, this is probably the best way to do it," he says.
Executive Editor Mathew Schwartz contributed to this post.