Moxie Marlinspike Demonstrates Cellebrite Tools Vulnerabilities

Signal creator, renowned cryptographer, hacker, researcher and anarchist Moxie Marlinspike studied the products of the famous Israeli cybercriminalistic company Cellebrite and identified a number of vulnerabilities in their work.

In particular, the bugs allowed him to execute malicious code on a Windows computer that was used to analyze devices.

Let me remind you that Cellebrite are independent cybercriminals who specialize in extracting data from mobile devices (iOS and Android). For example, several years ago, an Israeli firm was named the main candidate for the role of an FBI contractor when law enforcement officers were looking for specialists to hack a terrorist’s iPhone.

Overall, Cellebrite has helped governments and law enforcement agencies around the world in hacking seized mobile phones (mostly through exploiting vulnerabilities that device manufacturers have ignored).

How Marlinspike gained access to Cellebrite equipment is unknown. He ironically says that this happened due to an “incredible coincidence”: he allegedly walked down the street and “saw a small package fall out of the truck” with the Cellebrite logo.

Probably, it was not so difficult to acquire such a set. Back in 2016, Vice Motherboard journalists conducted their own experiment, which showed that anyone can purchase such a set.

In the Signal blog, the expert explains that Cellebrite’s software works by analyzing data from an untrusted source. That is, the software accepts an input that may be incorrectly formatted, and this can provoke information corruption in memory, which will lead to the execution of arbitrary code in the system.

In our research on UFED and the Physical Analyzer, we were surprised to find that very little attention was paid to the security of Cellebrite’s proprietary software. There are no industry-standard tools for protection against exploits, but there are many opportunities for exploitation. the expert writes.

The researcher also discovered that Cellebrite software uses an old open-source code, which Cellebrite developers have not updated for almost ten years (although security updates have been released more than once during this time).

As a result, Marlinspike was able to run arbitrary code on the Cellebrite machine when it parsed a specially prepared file on a scanned device.

By including a specially formatted but generally harmless file in a device application that Cellebrite then scans, you can execute code that will not only affect the Cellebrite report generated by that scan, but also arbitrarily affect all Cellebrite’s past and future reports, with all previously scanned devices and all future devices: you can insert or delete text, email, photos, contacts, files or any other data. And all this can be done without any detectable timestamps or checksum problems.Marlinspike said.

Marlinspike has posted a Proof of Success for a UFED product, his payload uses the Windows MessageBox API:

In addition, Marlinspike found digitally signed MSI packages from Apple in the Packet Analyzer installer. They appear to be pulled from the Windows Installer for iTunes 12.9.0.167 and contain DLL files that help Cellebrite software interact with and retrieve data from iOS devices.

Marlinspike summarizes that he will happily provide Cellebrite developers with details of all vulnerabilities if the company responds by doing the same for all vulnerabilities that it uses for its services “now and in the future.”

Cellebrite representatives have already told the media that for the company is very important “the security and integrity of customer data,” and also assured that they “constantly check and update” their software. At the same time, the company did not comment on the problems discovered by the expert in any way, and did not say whether the company had permission to use Apple software.

Let me also remind you that we talked about the researcher showing how to steal a Tesla Model X in a few minutes.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *