Numerous vulnerabilities allow code execution.
Israeli digital forensics firm Cellebrite, whose products are used by law enforcement but also repressive, murderous regimes and groups around the world, has been left with egg on its face after an analysis of its software found it to be riddled with easily exploitable vulnerabilities.
The figurehead of the Signal encrypted messaging project, Moxie Marlinspike, got hold of a Cellebrite kit containing two key pieces of Windows software, the Universal Forensic Extraction Device (UFED) and Physical Analyser.
How the Cellebrite kit ended up in the Signal team’s hands remains unclear for now.
“By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me,” Marlinspike wrote.
On examination of the Cellebrite software, Marlinspike found that contrary to expectations of best-practice processing of untrusted data sources, the Israeli firm had given very little thought to the security of its products.
The Cellebrite software ships with very old versions of the open source FFmpeg dynamic link libraries for handling audio and video files, which have not received the more than 100 patches for critical vulnerabilities discovered in them over the last few years.
Marlinspike and the Signal researchers found that they could run any code they wanted on a Cellebrite machine by including a specially formatted file included in an app from which data is being extracted.
“There are virtually no limits on the code that can be executed,” Marlinspike wrote.
Cellebrite has added support for Signal’s file format recently and the Israeli company says its products can “break any barrier” and encryption in order to access data on devices being investigated.
On top of the numerous vulnerabilities in the outdated and unpatched software, the Signal team discovered two installer packages for Windows, signed by Apple.
The Signal researchers said the two software packages appear to come from the Windows installer for the iTunes media and device management software, and questioned if Apple had given Cellebrite a license to incorporate and distribute the code libraries.
“… this might present a legal risk for Cellebrite and its users,” Marlinspike speculated.
Marlinspike said that upcoming versions of Signal will periodically fetch files to place in app storage.
“These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software,” the developer said.
Cellebrite established an independent division for digital forensics for mobile devices in 2007.
The company was involved in the United States Federal Bureau of Investigation’s attempts at unlocking an Apple iPhone 5C used by one of the terrorists involved in the 2015 San Bernardino, California attack in which 14 people were killed and 22 were injured.
Apple was ordered by the court to write software that would unlock the phone, but refused to do so.
This year it was revealed that Sydney-based Azimuth Security unlocked the San Bernardino shooter’s phone, allegedly by linking together several vulnerabilities to get into the device.