back to article Signal app's Moxie says it's possible to sabotage Cellebrite's phone-probing tools with booby-trapped file

It is possible to hijack and manipulate Cellebrite's phone-probing software tools by placing a specially crafted file on your handset, it is claimed. Signal app supremo Moxie Marlinspike said in an advisory on Wednesday that he managed to get his hands on some of Cellebrite's gear, which is typically used by cops, government …

  1. Anonymous Coward
    Anonymous Coward

    I don't consider a locked phone to be safe anyway...

    ...since you do not need to be conscious for face ID or fingerprint readers to unlock it.

    1. Ace2 Silver badge

      Re: I don't consider a locked phone to be safe anyway...

      Well, turn it off if you can. TouchID (at least) doesn’t work on first boot.

      1. big_D Silver badge

        Re: I don't consider a locked phone to be safe anyway...

        Company policy on mobile devices is 10 character "PIN", containing upper case, lower case, numbers and special characters and no fingerprint or facial recognition active...

        Makes using my iPhone a pain, having to type in a long password each time I want to check anything.

        1. CommanderGalaxian
          Boffin

          Re: I don't consider a locked phone to be safe anyway...

          User policy will then be to write down said 10 character PIN because they keep forgetting it.

          1. big_D Silver badge

            Re: I don't consider a locked phone to be safe anyway...

            Nope the employee Data Protection Handbook explicitly says that passwords are not to be written down.

    2. Anonymous Coward
      Anonymous Coward

      Re: I don't consider a locked phone to be safe anyway...

      This is why I don't enable fingerprint or face unlock.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why I don't enable fingerprint or face unlock.

        Well done. Much easier to observe and reproduce a pin/unlock pattern than a fingerprint or face.

        1. seven of five Silver badge

          Re: This is why I don't enable fingerprint or face unlock.

          Passwords exist.

          1. Anonymous Coward
            Anonymous Coward

            Re: Passwords exist.

            On phones it's normally a pin or a pattern, easily observerd.

            I can't read your fingerprint from here.

            1. seven of five Silver badge

              Re: Passwords exist.

              Well, normally. On my phone, it is a password. And a seventeen char one, while we're at it. Takes about four seconds to type in, muscle memory and blackberry soft keyboard take care of it. Just because most people don't care does not mean you don't have to care.

        2. Dan 55 Silver badge

          Re: This is why I don't enable fingerprint or face unlock.

          At least you have to observe them first. With photos and fingerprint unlock that might not even be necessary, depending on who's trying to unlock it.

          1. Anonymous Coward
            Anonymous Coward

            Re: At least you have to observe them first.

            There are obviously problems with both methods.

            Claiming that disabling one factor of authentication increases your security shows a misunderstanding of the problem.

      2. HellDeskJockey-ret

        Re: I don't consider a locked phone to be safe anyway...

        Agreed also no credit cards or financial data on my cell.

        1. Short Fat Bald Hairy Man

          Re: I don't consider a locked phone to be safe anyway...

          Who does that, anyway? Surely, no one can be so careless?

  2. Blazde Silver badge

    "We have strict licensing policies that govern how customers are permitted to use our technology"

    An unfortunate canned line given the circumstances of Signal obtaining and tearing down their kit, presumably in complete violation of those maybe-not-so-strict policies.

    1. Doctor Syntax Silver badge

      Re: "We have strict licensing policies that govern how customers are permitted to use etc"

      It's always best to remember that people who write statements like that aren't always lying - they just know how to write English so that it has to be carefully construed to get its true meaning. The strictness doesn't need to be applied to the policy, not even to the licence. It needs to be applied to the enforcement.

      And another instance of el Reg allowing the length of a title, extending it automatically when it's quoted and then declaring their ow extended title too long.

      1. Blazde Silver badge

        Re: "We have strict licensing policies that govern how customers are permitted to use etc"

        Agreed, I'm sure if they were being more honest they'd say they mean their policy is strict but that's not enough to prevent the technology falling into the wrong hands. And if they were being still more honest they might say their *written* policy is strict but not always strictly adhered to when enough money is on the line.

        Still, it's a PR line that precedes Signal's blog post, and it's clearly intended to give the impression their technology won't fall into the wrong hands so it seems weirdly inappropriate here when it just has done. (But what do I know, it's probably some textbook PR gaslighting voodoo).

  3. Anonymous Coward
    Thumb Up

    It couldn't happen

    to a more appropriate company.

  4. Anonymous Coward
    Anonymous Coward

    It's time to cellebrite

    This discovery!

  5. low_resolution_foxxes

    Ohhh the irony.

    1. Michael Wojcik Silver badge

      We see this very frequently with malware (and Cellebrite's products are malware, regardless of whom they sell them to).

      Malvuln has been running a series on the Full Disclosure list of exploitable vulnerabilities found in malware samples. Typically this stuff is poorly written and, as Marlinspike wrote, uses outdated components. Malware tends to be created by developers who specialize in finding vulnerabilities, exploiting them, and chaining the exploits; they often have abysmal software-development practices.

  6. Anonymous Coward
    Anonymous Coward

    LOL

    Just LOL!

    1. Mishak Silver badge

      On a more serious note...

      This could be used in court to discredit any evidence that's presented based on the use of Cellebrite.

      1. Doctor Syntax Silver badge

        Re: On a more serious note...

        That's clearly implied in the story.

        However, if Signal start providing booby-trapped files as part of the installation all Celebrite have to do to find out what the exploits are is to install Signal on a phone and that gives them a test-bed.

        1. iron

          Re: On a more serious note...

          Not really. Signal will be using a range of files which if El Reg had printed the full quote may, or may not be downloaded by a given device. The user, and therefore Cellebrite, has no knowledge of what files have been downloaded, if any. The mere possibility taints all evidence gathered using Cellebrite.

          1. Michael Wojcik Silver badge

            Re: On a more serious note...

            The mere possibility taints all evidence gathered using Cellebrite.

            In theory, perhaps. In practice US courts at least have routinely accepted evidence and "expert" testimony on much shakier grounds, and judges often refuse to allow counter-testimony challenging forensic evidence.

        2. NonSSL-Login

          Re: On a more serious note...

          If he doesn't, Celebrite can never be sure they have closed all 'known' vulnerabilities in their software which would keep their evidence in court questionable.

          Ok they will most likely start compiling with address randomising and stuff with the compiler and other features to make it more difficult to exploit but its slim they will find all the original bugs, especially when they have to parse so many different types of files.

          I have a feeling the software will leak to a site like the Piratebay in the near future and some reverse engineering coders will have some fun if their phone ever gets confiscated at the border or by the police :D

  7. mark l 2 Silver badge

    Reminds me of a issue with Encase forensics software I remember reading about years ago, where it would bomb out trying to read a specially crafted ZIP file that was only a few KB in size compressed, but would decompress to hundreds of TB and cause the software to crash as it couldn't cope with files of that size..

    1. ortunk

      That's an old mailbomb technique by the way. So funny they fell for it.

      Best security practice seems to be favorite old: security by obscurity

  8. Twanky

    Squid pro roe...

    Signal's creator went on to say he'll disclose the holes he's found when Cellebrite discloses the vulnerabilities it exploits to forcibly unlock confiscated handhelds.

    Wouldn't it be better if the Cellebrite system could be persuaded to blab what exploits it's using in trying to get into the device? I'd bet many of these toys are actually networked even if protocol says they shouldn't be.

  9. DS999 Silver badge

    The problem is in utilizing these exploits

    If an app was publicly released that claimed to include a "Cellebrite breaker" in it, Cellebrite could download the app, figure out what it does, and close the specific hole it is using. So the only way this can be used is if it is kept quiet, and circulated to a small circle of people, so Cellebrite won't be able to get their hands on the code to see what it is doing so they can close the hole in their software.

    1. Michael Wojcik Silver badge

      Re: The problem is in utilizing these exploits

      Since Cellebrite could have closed most of the holes in the first place by keeping their third-party components up to date and employing decent development practices, this is rather a stretch. And their users will have to upgrade their Cellebrite software to get the fixes.

  10. DS999 Silver badge

    He might not need Cellebrite to reveal their exploits

    I'll bet if he invited Apple and Google to send some of their engineers to his office to poke and prod the Cellebrite device, they could learn what it is doing and be able to close up all the holes it is currently using. Perhaps they have other attacks on the shelf in case the ones they are currently using get fixed, but so long as Moxie's Cellebrite is still able to download software updates they could eventually get those as well.

    It would probably open Apple/Google up to lawsuits if they lied about being "law enforcement" to purchase a Cellebrite device, but if someone else has acquired one through whatever means they aren't breaking any rules. Certainly not any more than Cellebrite is by whatever sleazy methods they're using to obtain the 0 days they use to break into phones!

    If I was in charge of Apple's security team I'd be contacting him right now asking to send a couple of my best guys to reverse engineer how the Cellebrite device operates.

  11. Aussie Doc
    Pint

    Really?

    From a gizmodo article on the claim:

    Quote

    "...It’s hard not to read all of this as some sort of retort to Cellebrite’s recent claims that it can crack Signal’s encryption—surely a claim that stuck in Marlinspike’s craw."

    End quote

    They seem a little skeptical.

    https://gizmodo.com/signals-ceo-just-hacked-the-cops-favorite-phone-crackin-1846733412

    Just putting it out there - don't really have a care, myself.

    Cheers.

    1. Aussie Doc
      Pint

      Re: Really?

      A thumbs down for putting somebody else's skepticism in a link?

      You are Marlinspike and I claim my $5.

  12. Androgynous Cupboard Silver badge

    Core War!

    Anyone else reminded of this? Feels like it's finally spilled over into real life (ref). Well played Moxie.

  13. John Jennings

    in some juristictions

    it may be illegal to tamper with the cellibrite app.

    Especially if causes damage to evidence.

    imagine if you are stopped (at random) for a screen or a minor infraction, and you get scanned.

    You are in possession of a file which corrupts the instance of evidence on your - or others cases (I assume that the application is networked)

    Instead of nothing to answer, you could get 'tampering with police evidence' or 'damaging police property' - which may carry a more serious penalty....

    With Signal installed, you wouldnt even know if your prticular handset was a bomb-carrying mule.....

    Lady justice is blind in these cases - ignorance would not be a defence.

    1. Anonymous Coward
      Anonymous Coward

      Re: in some juristictions

      It's in the article, the exploit alters no times stamps, etc. and is basically undiscoverable after the event

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon