The messaging company published a blog post that reported numerous alleged vulnerabilities in Cellebrite software, which uses physical access to a smartphone to breach its contents.
Signal was able to exploit holes in Cellebrite’s code to execute its own software on Windows computers used by Cellebrite. “There are virtually no limits on the code that can be executed,” Signal CEO Moxie Marlinspoke said.
Cellebrite make two products - UFED and Physical Analyzer - that have previously been used by authoritarian regimes including Russia and Belarus, the police in Myanmar, and the FBI in the United States attempting to breach iPhones.
UFED creates a backup of the device onto a Windows computer, while the Physical analyzer parses the files in a way that is browsable for the user.
Cellebrite infamously claimed that they were able to breach Signal’s encryption – one of the most secure available – in December 2020, but Signal claims the company only added support to Physical Analyser for the file formats used by Signal, and thus were overstating their actual abilities.
“One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands,” Marlinspike writes.
Exacting retribution by a “truly unbelievable coincidence”, Marlinspike writes, Signal gained access to Cellebrite’s hardware tools.
“I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite”, Marlinspike writes.
It appears Signal was able to execute code using a “specifically formatted but otherwise innocuous file” in an app that’s scanned by Cellebrite – such as Signal, for example - to take over Cellebrite’s software.
“Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices”, the post continues.
“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.
“In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software”, Signal adds.
“We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.”
The Independent has reached out to Signal for more information about the significance of these files, and how it came to access Cellebrite equipment, but the messaging app did not respond to a request for comment by time of publication.
Signal also alleges that Cellebrite uses two MSI installer packages that are digitally signed by Apple, but appear to have been extracted from the Windows installer of iTunes 12.
“It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users”, Signal writes.
Apple did not respond to a request for comment from The Independent before time of publication. The Independent also asked Cellebrite for more information about its possible vulnerabilities, as well as its Apple licenses, but the digital forensics company also did not respond before time of publication.
“We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound”, Cellebrite said in a statement to The Independent.
“Cellebrite understands that research is the cornerstone of ensuring this validation, making sure that lawfully obtained digital evidence is utilized to pursue justice.”
Register for free to continue reading
Registration is a free and easy way to support our truly independent journalism
By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists
Already have an account? sign in
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies