Signal hacked Cellebrite’s phone hacking software used by police

After mobile phone company Cellebrite said it had figured out a way to access the secure messaging app Signal, Signal said in a blog post that it had turned around. The creator of the program, Moxie Marlinspike, claimed that his team had acquired Cellebrite’s hacking tool and discovered several vulnerabilities. He then implied that Signal would update the program to prevent any police attempts to hack it.

Cellebrite sells a set of “data analytics devices” called UFEDs that allow police to enter iOS or Android phones and extract message logs, calls, photos, and other data. The series of hacking tools have reportedly been used by the FBI to unlock iPhones in the past.

Marlinspike managed to get a Cellebrite UFED, complete with the software and hardware, joking that it fell off a truck while he was walking. (Older versions of the devices have appeared on eBay and other websites in the past.)

He noted that it used some old and outdated DLLs, including a 2012 version of FFmpeg and MSI Windows installation packages for Apple’s iTunes program. “However looking at both UFED and Physical Analyzer, we were surprised that very little care seems to have been given to Cellebrite own software security, ”he wrote.

Signal’s team found that by including “specially formatted but otherwise harmless files in any app on a device” scanned by Cellebrite, it could launch code that modifies the UFED report. For example, it might be able to insert or delete text, email, photos, contacts and other data, leaving no trace of the manipulation.

In a tweet (above), Signal showed the hack in action, with the UFED analyzing a file formatted to launch code and display a benevolent message. However, the company said that “a real exploited payload will likely seek to imperceptibly change previous reports, compromise the integrity of future reports or filter data from the Cellebrite machine.” Marlinspike then implied that it could install such code inside Signal to prevent future attempts to extract Cellebrite by police.

Signal released details of Cellebrite’s alleged vulnerabilities without warning the company, but said it would change tact if Cellebrite reciprocated. “We are of course prepared to responsibly disclose to Cellebrite the specific vulnerabilities we know if they do the same for all vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.”

Cellebrite told Ars Technica that it “aims to protect the integrity of our customers’ data, and we continually monitor and update our software to equip our customers with the best available digital smart solutions.” Signal’s claims should be treated with some skepticism without seeing more details around the hack, along with confirmation from other security experts.

Update 4/22/2021 7:23 AM ET: A reference to the Cellebrite tools used to unlock the iPhone of the San Bernardino killer has been removed because it was reportedly another company that did the work.

All products recommended by Engadget are selected by our editorial team, regardless of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.