Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer

Wow, that video made my day. This bit is key:<p>&gt; &quot;For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.&quot;<p>They&#x27;ve may have just got a lot evidence collected using Cellebrite from phones with (or without) Signal installed on them thrown out of court.<p>I don&#x27;t recall the details, but there was an absolute unsubstantiated speculative and surely fictional rumor of at least one entirely theoretical zero-day non-gif formatted image file that exploited a similar class of vulnerability in what was probably not a market leading tool used tangentially for the same purposes, floating around well over a decade ago as well.<p>I for one am very glad that these hypothetical issues have almost surely been fixed.

This is truly a hacker’s retort.<p>It attacks Cellebrite&#x27;s ability to operate by casting doubt on the reports generated by the product that their customers may wish to use in court.<p>It places them in legal peril from Apple, and removes any cover Apple would have to <i>not</i> take legal action. (I assume someone at Apple knew they were shipping their DLLs?)<p>It makes a thinly-veiled threat that any random Signal user&#x27;s data may actively attempt to exploit their software in the future and demonstrates that it&#x27;s trivial to do so.<p><i>edited to add a bonus one:</i><p>Publish some data about what they are doing to help create a roadmap for any other app that doesn&#x27;t want their data to be scanned.

Cellebrite doesn&#x27;t even have a bug bounty programme or contact to report their bugs.<p>Last year I&#x27;ve managed to gain partial access to one of their systems and it took me weeks emailing their internal email addresses to finally fix the bug. They were total ass about it.<p>Now I&#x27;ve got complete access to their entire database and I don&#x27;t know what do. Can HN advise?

&gt; In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.<p>I wish I could see those files in action...

Cellebrite&#x27;s initial response[1] includes this gem<p>&quot;We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community.&quot;<p>And these policies are obviously quite effective at preventing such uses.<p>[1] <a href="https:&#x2F;&#x2F;www.theregister.com&#x2F;2021&#x2F;04&#x2F;21&#x2F;signal_cellebrite&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.theregister.com&#x2F;2021&#x2F;04&#x2F;21&#x2F;signal_cellebrite&#x2F;</a>

This is something I have personally looked at as an owner of a UFED touch device (1st gen). By default your software runs in a non-priviledged account but who&#x27;s to say one of files isn&#x27;t just straight up being read by FFMPEG and adding or removing evidence from the final report.<p>The official Cellebrite policy has always been &quot;don&#x27;t worry, if you get stuck, we can send you an expert to testify to the reliability of the scientific evidence due to previous cases&quot; but what happens when the pyramid of previous cases fall apart? Do you suddenly own a paperweight?<p>I&#x27;ve also published papers (with NIST&#x27;s help) on using consumer grade hardware for forensics and why testing your tools across a wide variety of scenarios is critical.

As a Signal user and moxie fan I love that post, but I worry that it places <i>Signal</i> in legal peril from Apple.<p>My fear, and prediction, is that the authorities will frame this as an even more egregious attack on law enforcement and that interfering with investigations is a crime (I&#x27;m not a lawyer, but I play one in hacker news comments, and that sounds like a crime). They&#x27;ll lean on the app stores and the app stores will lean on or remove Signal.

I have a new found perspective for the malware&#x2F;spyware industry after watching The Dissident.<p>I am SO IMPRESSED with this middle finger from the Signal team.<p><a href="https:&#x2F;&#x2F;www.imdb.com&#x2F;title&#x2F;tt11382384&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.imdb.com&#x2F;title&#x2F;tt11382384&#x2F;</a>

I don&#x27;t understand the seeming incongruity between these two statements:<p>On the one hand:<p>&gt; One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands.<p>But on the other hand:<p>&gt; We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.<p>If UFED just copies data from unlocked phones, why would they be using vulnerabilities to do so?<p>I guess my question is, is Cellebrite capable of copying locked devices, or more to the point - has vulnerabilities to unlock devices without knowing the access PIN?

Truly a jaw dropping blog post, as the top comment currently states, Apple may be legally required to at the very least, comment on this situation.

Now if only I could use legitimate tools to access <i>my own</i> Signal data on an iOS device.

By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me.<p>Nailed it!

So I wonder, why disclose this?<p>This will just prompt Cellebrite to improve its security process and sandbox the entire tool.<p>If they wanted to destroy the credibility of the tool, using the vulnerabilities to silently tamper with the collected data or even leaking it online would be a much better option and hit them without any warning, not only jeopardizing those cases but forever casting doubt on not just Cellebrite but their competitor tools.

&gt; Also of interest, the installer for Physical Analyzer contains two bundled MSI installer packages named AppleApplicationsSupport64.msi and AppleMobileDeviceSupport6464.msi. These two MSI packages are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes version 12.9.0.167.<p>Couldn&#x27;t Apple now sue Cellebrite?

A reminder that you can pair lock your iPhone to prevent analysis by Cellebrite or similar tools: <a href="https:&#x2F;&#x2F;arkadiyt.com&#x2F;2019&#x2F;10&#x2F;07&#x2F;pair-locking-your-iphone-with-configurator-2&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arkadiyt.com&#x2F;2019&#x2F;10&#x2F;07&#x2F;pair-locking-your-iphone-wit...</a>

How do Cellebrite maintain &quot;Chain of custody&quot;? If they need to modify (hack) the device to get access. I was of the understanding, that if any file is modified then &quot;chain of custody&quot; is no longer in good standing, and therefore cannot be used as evidence.

I hope Cellbrite users like the rhythm and lyrics of <i>Never gonna give you up</i>.

This rocks so hard. Also the Prodigy soundtrack! Takes me back.

This is a really great piece. I have two observations.<p>1) &quot;..saw a small package fall off a truck ahead of me...&quot;<p>2) The very last paragraph is just great!

&gt; One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands.<p>Aren&#x27;t Cellebrite products&#x2F;services more advanced than that? I mean don&#x27;t they use publicly unknown zerodays to extract data from locked phones?

Signal have just added files to compromise Cellebrite to their default installation !<p>&quot;In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage.<p>These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.<p>Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding.<p>We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.&quot;

This is pretty irksome. I get how satisfying it must feel, but the one thing I want as a Signal proponent is for the app to be <i>boring</i> and reliable. That means make it easy to use enough to be mainstream, squash bugs, and do all the lovely security work you do.<p>That does not mean adding stuff like untraceable cryptocurrency payments or very publicly tweaking the noses of law enforcement, and bragging about how you&#x27;re putting exploits in your app to hack them.<p>This isn&#x27;t 1993 and the last thing we need is more pretexts to ban E2E encrypted apps in the countries where they&#x27;re needed the most. I think this trades a moment&#x27;s satisfaction for a very bad long-term outcome.

Signal is almost like anti-virus software against Cellebrite.

&gt;We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.<p>Mwahahahaha. Tell us how you hack our app and everyone else&#x27;s, and we&#x27;ll tell you how we hacked yours.<p>The middle finger is strong with this one.

If it&#x27;s true that you can grab a Cellebrite hardware piece without too much difficulty (Ebay, etc - and note I&#x27;m not speaking from expertise so someone please fact check me), I&#x27;d find it hard to believe Apple wouldn&#x27;t have done this kind of inspection themselves and&#x2F;or noticed those DLLs being shipped.<p>Curious if there&#x27;ll be a response of sorts.

&gt;By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite.<p>That&#x27;s just hilarious! Nice way of saying we got our hands onto one of these boxes, but we don&#x27;t want to reveal how. It fell of a truck.

&quot;I was recently out for a walk when I saw a small package fall off a truck ahead of me.&quot;... I I laughed :)))

Crossing the streams, the US Postal Inspectors Service (which hosts iCOP, detailed in a recent Yahoo story) are a Cellebrite customer:<p><a href="https:&#x2F;&#x2F;www.uspis.gov&#x2F;wp-content&#x2F;uploads&#x2F;2020&#x2F;02&#x2F;FY-2019-annual-report-508-web.pdf" rel="nofollow">https:&#x2F;&#x2F;www.uspis.gov&#x2F;wp-content&#x2F;uploads&#x2F;2020&#x2F;02&#x2F;FY-2019-ann...</a> (p. 35)<p>See: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26892180" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26892180</a> <a href="https:&#x2F;&#x2F;news.yahoo.com&#x2F;the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.html" rel="nofollow">https:&#x2F;&#x2F;news.yahoo.com&#x2F;the-postal-service-is-running-a-runni...</a>

While this report is entertaining to read, I have to wonder about possible downstream repercussions of the implications within the last paragraph; if you&#x27;re in police custody or worse and your Signal app contains some &#x27;aesthetically pleasing files&#x27; that interfere with the authoritarian software, it&#x27;s likely going to be your ass on the line for all sorts of charges.<p>Don&#x27;t get me wrong, the implication is enough to discredit Cellebrite, but my initial thoughts are that either this bluff gets called, or there&#x27;s a non-zero risk of someone landing in even hotter water down the line for using Signal. Of course, this assumes that you&#x27;re not already neck-deep for having encrypted data and upholding your right to privacy.

They literally said the unit fell off a truck. Funny...<p>Correctly me if I am wrong, but did they really say they were going to be doing active attacks against Cellebrite units? Also funny... but they probably are not actually going to be doing that.

<a href="https:&#x2F;&#x2F;www.iowajustice.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.iowajustice.com&#x2F;</a> is <i>amazing</i> at UFED defense.

&gt; Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. [...]<p>Yeah, but they probably figured they&#x27;re not being attacked. But now? Now they&#x27;ll have to figure they are.

my TL;DR (but its a damn good read and funny too)<p>- Cellebrite helps oppressive regimes read your messages<p>- Signal keeps your messages private<p>- Cellebrite announces &quot;Signal support&quot;<p>- Signal finds 9 years of vulnerabilities in Cellebrite<p>- Signal permanently pwns Cellebrite<p>You come at the king, you&#x27;d best not miss.

To be fair, this vulnerability disclosure is worthless, because it wasn’t actually disclosed—the true vulnerability is purported to be in the file that Signal uses to execute arbitrary code, of which the details are not shared. We are relying on pure trust that the video demonstration of the purported vulnerability is not a forgery.<p>Additionally, I see from the video that the purported vulnerability is present in UFED version 7.40.0.229. There is nothing stopping Cellebrite from patching this purported vulnerability, and shipping trustworthy versions of UFED going forward.<p>If there is a concern that the purported vulnerability still exists, the burden of proof will be with the person claiming the vulnerability exists, <i>for each new version of UFED</i>. Cellebrite doesn’t even need to implement actual code, but merely increment the UFED version number. It will be an endless cat and mouse game driven by baseless claims from both sides.<p>Since this vulnerability has not been reproduced by third parties, it could be equally likely that Signal is using a psyop rather than exploiting a genuine vulnerability. In either scenario, it casts doubt on Cellebrite; the damage is done by convincing you, the reader.

&quot;These two MSI packages are digitally signed by Apple&quot;<p>Couldn&#x27;t Apple simply revoke the signature?

This isn&#x27;t the first time moxie0 found something important on a street, is it?

I&#x27;d also like to get really excited about this. Can someone ELI5?

&gt;Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious.<p>&gt;Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security.<p>People keep saying this. It has never changed since the 90s. There is no bar to become a &quot;software engineer&quot;.

Damn. That video say it all.

Something about this smells a little off.<p>If Moxie can get his hands on these devices and hack them, why can&#x27;t Apple or Google, with all their resources, seem to be capable of REing them to fix the mobile device bugs they currently exploit?<p>Tinfoil hat perspective suggests they don&#x27;t want to.

kmk

i find it remarkably unbelievable someone would put a cellebrite bag in the back of a truck given the price alone.. and the timing too. sure

Any idea what this means? It is at the bottom of the article:<p>&quot;In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.[...]&quot;

&gt; By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.<p>Does anyone find a package dropping off a truck and first take a picture of it, pick it up and go home to open it?<p>Even if someone picks up the package, usually taking a picture of it doesn&#x27;t come to their mind. It&#x27;s an unsual bit in the story. Unless, they went back and put the bag on the road to show that it was found just for the sake of &quot;recreating the story&quot; purposes.<p>How does something like a small briefcase just &quot;fall from a truck&quot;? By what mechanism? Briefcase would be stored inside the cabin.<p>If you&#x27;re the author, can you explain my suspicion?