> I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite.<p>While I'm skeptical of the method of acquisition, would be interesting if they actually got the hardware and could publish details.<p>Update : other news outlets reporting with more details, but not confirmation [0]<p>[0] <a href="https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/" rel="nofollow">https://arstechnica.com/information-technology/2021/04/in-ep...</a>
> Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.<p>> Marlinspike published details about the exploits outside of normal "responsible disclosure" guidelines and suggested that he is willing to share details of the vulnerabilities as long as Cellebrite does the same with all the bugs the company uses to unlock phones, "now and in the future."<p>Pretty sure Cellebrite isn't going to do that because of their business model.<p>> In their analysis of the device, Signal researchers also found that it contained packages signed by Apple, and likely extracted from the Windows installer for iTunes version 12.9.0.167. According to Marlinspike, this could be a copyright violation.<p>I like to know how Apple will react to this!