If you are looking for a secure messaging app on your iPhone or Android, Signal gets the job done. The company has now successfully used an iPhone SE and hacked Cellebrite's phone-cracking software with ease. Signal has talked about how anyone could place a file on their iPhone to effectively render any data extraction performed on the phone completely useful. That is what they are going to be doing for Signal users.
Signal Puts Cellebrite on the Spotlight in Humorous but Concerning Blog Post
Signal has also talked about how the file could also compromise all the past and future reports generated from the Cellebrite Windows app. The company managed to get their hands on the software by means that they are not wishing to discuss but posted a humorous take on how this entire situation came to be.
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
Signal has also shed light n the nature of the software and how it was likely to be vulnerable unless Cellebrite took steps to protect it.
Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse “untrusted” data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.
Signal realised that Cellebrite's app is pretty open and talked about how easy it was to hack the code.
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
One of the more obvious ways of sabotaging the data extraction process would be adding or removing data from Cellebrite's download. If that is done, it would be nearly impossible to figure out what was on the phone, to begin with, and what the hack was removing or adding.
It’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
To make matters even humorous, Signal has talked about how it will tell Cellebrite about how they managed to do all of this if the phone hacking company reveals some of their own secrets.
We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.
Signal has also talked about how the future versions of the app are going to be designed to hack PCs that are running Cellebrite apps if they are ever connected to them and add insult to the injury; Signal also talks about how Cellebrite is using apple iTunes DLLs, which is considered to be a breach of copyright. If you want a laugh, you can head over to the blog post and read it.