The Security-Industrial complex is full of companies that like to play in the gray zone, selling products to shady authoritarian regimes that have histories of harassing and disappearing people they deem enemies of the state. One such company is Cellebrite, an Israeli company known for its products for collecting data off cell phones.
A simplistic descripton of Cellebrite’s software is that it copies the contents of files on smartphones automatically so that law enforcement and murderous tyrant dictators don’t have to manually do it themselves. Cellebrite’s product figures out what format all the different files are in and supports automatic content extraction for those file formats.
Recently, Cellebrite announced that they could now parse Signal files to extract chat data. Signal is a popular privacy-focused messaging app that is open source and is truly end-to-end encrypted. No one has a key to your conversation and no one can decrypt your messages except for the intended recipients.
Many of us, myself included, have used Signal to varying degrees for many years. Ironically, it’s also become more popular recently with the slow-to-security-awareness conservative crowd who thinks they’re being persecuted by platforms who justifiably don’t like their hate speech. Bear in mind, some of these are the same people who never realized their phones could be used to pinpoint their locations relative to the attempted coup at the Capitol. Regardless, Signal is a good product and should not be judged by the quality of some of its more recent adopters.
The point is, the ability to grab Signal chats is something Cellebrite knows that law enforcement and dictators alike would enjoy, and that it would be something to proclaim triumphantly.
It did not go unnoticed.
One of the best things about Signal is its founder and CEO, Moxie Marlinspike. Moxie Marlinspike is a man with a particular view of the world that I quite enjoy. As he puts it:
In general, I hope to contribute to a world where we value skills and relationships over careers and money, where we know better than to trust cops or politicians, and where we’re passionate about building and creating things in a self-motivated and self-directed way.
Apparently Moxie has a distaste for companies that help tyrants and murders spy on journalists and dissidents, especially ones that poke at him and his company by announcing with great fanfare that they’ve cracked his product (which technically isn’t true).
Moxie decided to get even. And when Moxie gets even, he plans his response to the nth degree.
On April 21st, 2021, Moxie posted a blog post to the Signal website titled Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective. It’s a doozy. It basically lays waste to Cellebrite’s software and then tears into its trustworthiness and threatens to make sure it can never be trusted again by promising to keep exploiting its vulnerabilities over time.
The way that Cellebrite is vulnerable lies in its need to read all kinds of different file formats. Because of this, it should be very careful about what it does with files it’s working with and what it allows those files to do. But it isn’t. On top of that, it uses various old, insecure libraries to do its job, which means that any app (let’s say Signal, for example) can manipulate the data that Cellebrite presents to its customers, and even install malware that makes it keep doing so in the future.
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
The fun doesn’t stop there. Moxie goes even further and implies that he’s going to make use of these capabilities on an ongoing basis to invalidate anything that their software tools report to their customers.
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
Moxie is essentially promising to undermine the credibility of Cellebrite’s software both immediately and into the foreseeable future. This will be impactful to Cellebrite, because Signal is going to remain a focus of interest by law enforcement and murderers alike1, so these aesthetically pleasing files are certainly going to get a chance to … well, be aesthetically pleasing. Additionally, Moxie has given other developers who want to poke a stick in Cellebrite’s eye an idea of what can be done.
I also particularly enjoyed Moxie’s outing of Cellebrite’s probable copyright violations with respect to Apple software:
It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.
I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain in Portland.