The software Cellebrite it is used by authorities in several countries to unlock cell phones “in the dark”, especially iPhones. But it is possible that confidence in the tool will be shaken from now on: Moxie Marlinspike (Matthew Rosenfeld), founder and CEO of messaging Signal, turned over the Cellebrite software and revealed some of its weaknesses.
It has never been clear how Cellebrite manages to break cell phone encryption, but the list of devices the company can exploit is relatively large. In addition to iPhones, the company’s software is capable of extracting protected data from Motorola, Samsung, LG, Xiaomi, Sony, Huawei devices, among others.
An example of recent use comes from Brazil: the Civil Police of Rio de Janeiro used the Cellebrite tool to recover deleted messages from cell phones in investigations into the death of the boy Henry Borel.
Cases like this may even validate the existence of the tool, but on Signal’s blog, Marlinspike adds that Cellebrite’s client list includes authoritarian regimes in countries like Russia, Venezuela and China, death squads in Bangladesh, military joints in Myanmar, as well as agents of oppression in Turkey, the United Arab Emirates and elsewhere.
But another detail motivated Moxie Marlinspike to explore the insides of the Cellebrite solution: in late 2020, Cellebrite announced that it had broken Signal’s encryption.
UFED and Physical Analyzer
In his text, Marlinspike explains that the Cellebrite solution consists of two tools: the UFED it’s the Physical Analyzer. The first creates a copy of the device image on a Windows computer. The second analyzes this copy and extracts the data in a navigable format.
It seems to be a perfect process. However, Marlinspike points out that there are important flaws and questionable approaches.
An example: the Cellebrite system uses an audio and video conversion mechanism for Windows (FFmpeg) that was launched in 2012; since then, this software has received more than 100 security updates, but none have been applied to the company’s solution.
Another: Physical Analyzer has packages from an MSI installer that implement iTunes functions; these packages are signed by Apple, however, the company is unlikely to have provided this feature, which suggests misuse. This can cause legal problems for Cellebrite or even the company’s customers.
Extracted data can be manipulated
But there is an even more striking point: the CEO of Signal explains that there are vulnerabilities that can be exploited to modify the UFED report. With this, the data extracted from a cell phone during the analysis can be manipulated and, therefore, are no longer reliable.
Giving more details, Marlinspike reports that, by inserting “specially formatted files, but harmless in any application on a device” analyzed by Cellebrite, a report can be modified to insert or remove messages, photos, contacts and other data, without any clues that there was a change there. Past and future extractions can also be adulterated.
Take it, give it here
It is noteworthy that Signal released details about the vulnerabilities without notifying Cellebrite. But Marlinspike signals that he is willing to do it responsibly if Cellebrite does the same with the flaws it exploits in other software.
As this is unlikely to happen, we can expect more chapters in this story.
Finally, another curious detail: Moxie Marlinspike claims that he was able to access a Cellebrite kit because, while walking down the street, he saw one of them fall from a truck. It’s a joke, certainly. He may have obtained the kit on eBay, for example.