It’s a wonderful thumbs up that Moxie Marlinspike, creator of Signal messaging, just gave Cellebrite. This company, specializing in “Data mining” smartphones, recently welcomed the opportunity to collect Signal data. For Mr. Marlinspike, it was obviously a casus belli, because he just posted a very sour blog post in which he revealed the existence of critical flaws in Cellebrite’s extraction solutions. These, let us remember, are mainly used by the police to collect evidence and clues in the mobile terminals of suspects.
The sprinkler watered
Thus, the capture and collection modules integrate codes that are sometimes very obsolete and would only be weakly protected against poorly formatted data. Which opens the door to memory overruns and whatnot. “We have found that it is possible to run arbitrary code on a Cellebrite machine simply by including a specially formatted, but otherwise harmless, file in any application on a device which is then plugged into Cellebrite and scanned. . There is virtually no limit on the code that can be executed ”, explains Moxie Marlinspike, who also provides a demonstration video.
This execution of an arbitrary code could create a hell of a mess in the analyzes provided by Cellebrite’s tools, so as to completely call into question their integrity. Which would obviously be a big problem in the context of legal proceedings. A bit teasing, Moxie Marlinspike agrees to reveal to Cellebrite the technical underside of these flaws, but only if “Cellebrite does the same for the loopholes it uses”
In the meantime, the cryptographer announces, in a roundabout and ironic way, that he will use these flaws in Signal. Thus, files will be “Periodically” placed in the messaging storage space. They will not interact with the software, but “They are beautiful and aesthetics are important in software”. “We have several different versions of files that we find aesthetically pleasing and we will use them as we go.”, points out Moxie Marlinspike.
Also to discover in video:
The man also takes the opportunity to send a legal tackle. In his blog post, he reveals Cellebrite’s use of Apple-created DLL files. “It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs into its own product, which could therefore present a legal risk to Cellebrite and its users. “ And boom !