I don't consider a locked phone to be safe anyway...
...since you do not need to be conscious for face ID or fingerprint readers to unlock it.
Signal app's Moxie says it's possible to sabotage Cellebrite's phone-probing tools with booby-trapped file
It is possible to hijack and manipulate Cellebrite's phone-probing software tools by placing a specially crafted file on your handset, it is claimed. Signal app supremo Moxie Marlinspike said in an advisory on Wednesday that he managed to get his hands on some of Cellebrite's gear, which is typically used by cops, government …
-
-
-
Thursday 22nd April 2021 10:54 GMT big_D
Re: I don't consider a locked phone to be safe anyway...
Company policy on mobile devices is 10 character "PIN", containing upper case, lower case, numbers and special characters and no fingerprint or facial recognition active...
Makes using my iPhone a pain, having to type in a long password each time I want to check anything.
-
-
-
-
-
Thursday 22nd April 2021 09:08 GMT Doctor Syntax
Re: "We have strict licensing policies that govern how customers are permitted to use etc"
It's always best to remember that people who write statements like that aren't always lying - they just know how to write English so that it has to be carefully construed to get its true meaning. The strictness doesn't need to be applied to the policy, not even to the licence. It needs to be applied to the enforcement.
And another instance of el Reg allowing the length of a title, extending it automatically when it's quoted and then declaring their ow extended title too long.
-
Thursday 22nd April 2021 09:34 GMT Blazde
Re: "We have strict licensing policies that govern how customers are permitted to use etc"
Agreed, I'm sure if they were being more honest they'd say they mean their policy is strict but that's not enough to prevent the technology falling into the wrong hands. And if they were being still more honest they might say their *written* policy is strict but not always strictly adhered to when enough money is on the line.
Still, it's a PR line that precedes Signal's blog post, and it's clearly intended to give the impression their technology won't fall into the wrong hands so it seems weirdly inappropriate here when it just has done. (But what do I know, it's probably some textbook PR gaslighting voodoo).
-
-
-
-
Thursday 22nd April 2021 17:28 GMT Michael Wojcik
We see this very frequently with malware (and Cellebrite's products are malware, regardless of whom they sell them to).
Malvuln has been running a series on the Full Disclosure list of exploitable vulnerabilities found in malware samples. Typically this stuff is poorly written and, as Marlinspike wrote, uses outdated components. Malware tends to be created by developers who specialize in finding vulnerabilities, exploiting them, and chaining the exploits; they often have abysmal software-development practices.
-
-
-
-
-
Thursday 22nd April 2021 12:18 GMT iron
Re: On a more serious note...
Not really. Signal will be using a range of files which if El Reg had printed the full quote may, or may not be downloaded by a given device. The user, and therefore Cellebrite, has no knowledge of what files have been downloaded, if any. The mere possibility taints all evidence gathered using Cellebrite.
-
Thursday 22nd April 2021 17:28 GMT Michael Wojcik
Re: On a more serious note...
The mere possibility taints all evidence gathered using Cellebrite.
In theory, perhaps. In practice US courts at least have routinely accepted evidence and "expert" testimony on much shakier grounds, and judges often refuse to allow counter-testimony challenging forensic evidence.
-
-
Saturday 24th April 2021 14:25 GMT NonSSL-Login
Re: On a more serious note...
If he doesn't, Celebrite can never be sure they have closed all 'known' vulnerabilities in their software which would keep their evidence in court questionable.
Ok they will most likely start compiling with address randomising and stuff with the compiler and other features to make it more difficult to exploit but its slim they will find all the original bugs, especially when they have to parse so many different types of files.
I have a feeling the software will leak to a site like the Piratebay in the near future and some reverse engineering coders will have some fun if their phone ever gets confiscated at the border or by the police :D
-
-
-
-
Thursday 22nd April 2021 08:25 GMT mark l 2
Reminds me of a issue with Encase forensics software I remember reading about years ago, where it would bomb out trying to read a specially crafted ZIP file that was only a few KB in size compressed, but would decompress to hundreds of TB and cause the software to crash as it couldn't cope with files of that size..
-
Thursday 22nd April 2021 12:30 GMT Twanky
Squid pro roe...
Signal's creator went on to say he'll disclose the holes he's found when Cellebrite discloses the vulnerabilities it exploits to forcibly unlock confiscated handhelds.
Wouldn't it be better if the Cellebrite system could be persuaded to blab what exploits it's using in trying to get into the device? I'd bet many of these toys are actually networked even if protocol says they shouldn't be.
-
Thursday 22nd April 2021 14:55 GMT DS999
The problem is in utilizing these exploits
If an app was publicly released that claimed to include a "Cellebrite breaker" in it, Cellebrite could download the app, figure out what it does, and close the specific hole it is using. So the only way this can be used is if it is kept quiet, and circulated to a small circle of people, so Cellebrite won't be able to get their hands on the code to see what it is doing so they can close the hole in their software.
-
Thursday 22nd April 2021 18:08 GMT Michael Wojcik
Re: The problem is in utilizing these exploits
Since Cellebrite could have closed most of the holes in the first place by keeping their third-party components up to date and employing decent development practices, this is rather a stretch. And their users will have to upgrade their Cellebrite software to get the fixes.
-
-
Thursday 22nd April 2021 15:00 GMT DS999
He might not need Cellebrite to reveal their exploits
I'll bet if he invited Apple and Google to send some of their engineers to his office to poke and prod the Cellebrite device, they could learn what it is doing and be able to close up all the holes it is currently using. Perhaps they have other attacks on the shelf in case the ones they are currently using get fixed, but so long as Moxie's Cellebrite is still able to download software updates they could eventually get those as well.
It would probably open Apple/Google up to lawsuits if they lied about being "law enforcement" to purchase a Cellebrite device, but if someone else has acquired one through whatever means they aren't breaking any rules. Certainly not any more than Cellebrite is by whatever sleazy methods they're using to obtain the 0 days they use to break into phones!
If I was in charge of Apple's security team I'd be contacting him right now asking to send a couple of my best guys to reverse engineer how the Cellebrite device operates.
-
Friday 23rd April 2021 04:31 GMT Aussie Doc
Really?
From a gizmodo article on the claim:
Quote
"...It’s hard not to read all of this as some sort of retort to Cellebrite’s recent claims that it can crack Signal’s encryption—surely a claim that stuck in Marlinspike’s craw."
End quote
They seem a little skeptical.
https://gizmodo.com/signals-ceo-just-hacked-the-cops-favorite-phone-crackin-1846733412
Just putting it out there - don't really have a care, myself.
Cheers.
-
Friday 23rd April 2021 10:00 GMT John Jennings
in some juristictions
it may be illegal to tamper with the cellibrite app.
Especially if causes damage to evidence.
imagine if you are stopped (at random) for a screen or a minor infraction, and you get scanned.
You are in possession of a file which corrupts the instance of evidence on your - or others cases (I assume that the application is networked)
Instead of nothing to answer, you could get 'tampering with police evidence' or 'damaging police property' - which may carry a more serious penalty....
With Signal installed, you wouldnt even know if your prticular handset was a bomb-carrying mule.....
Lady justice is blind in these cases - ignorance would not be a defence.
Biting the hand that feeds IT
