Signal CEO Hacks Cellebrite iPhone Hacking Device Used By Cops (vice.com) 85
FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."
Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.
Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.
It fell off a truck (Score:2)
Miss Piggy (when motorcycle appears): What an unbelievable coincidence!
Re:It fell off a truck (Score:5, Insightful)
It goes to show that the major vendors will only go so far to protect users. Surely Apple has been able to get hold of one of these devices, and understands how to brick it. The only reason they might not is retaliation from the authorities.
If Signal is brave enough to do this, then it is a reason for users to install and use the app.
Re: It fell off a truck (Score:3)
Re: (Score:3)
I hope Apple sues them for copyright infringement on the files they stole from the iTunes installer.
Re: (Score:3, Informative)
Zero chance of that. Cellebrite owns BlackBag [idropnews.com] which does have a legal right to most of these things in the context of forensic use as a Premier Partner(tm) with Apple. Generally these partner agreements last for at least as long as a forensic tool's support contract, which can be 10 years or more. Apple likely can't back out of it even if they wanted to.
Re: (Score:1)
Re: It fell off a truck (Score:5, Insightful)
In any case, his words were not under oath and he wasn't Marandized, so he can just say he was using a common colloquialism, not describing the actual provenance.
Re: (Score:2)
Re: (Score:2)
Re:It fell off a truck (Score:5, Informative)
Isn't Signal based in California? If this is where the guy was when he found the device, then is he potentially admitting to the crime of misappropriating lost property (PC-485). It could be a defense if there were no way to track down the rightful owner, but I would think at least a call to the OEM with the serial number would be warranted. I believe that if the finder can't return it despite a reasonable effort, and the property is valued at over $100 (which I would think this is), it must be turned over to law enforcement. Anyway... I doubt it really fell off a truck, but I wouldn't go around broadcasting that I've broken the law, whether it is true or not.
He never said he broke the law; he probably just is protecting his source. He may even have returned the device once he was able to track down the name on the truck to determine the owner. Since he probably never accepted the EULA he isn't violating any licenses, either, by analyzing the device with some tools.
Personally, I would not be surprised if someone who was pissed at Cellebrite and what it represents, or wanted to see its vulnerabilities for their own purposes, and had access to the device, gave hime at least temporary access.
Re: (Score:2)
Only if you assume that the truck was delivering it to another person, and not to his home.
We can play the pedant game as well as you can. Never mind that there's a right to lie under the First Amendment (United States v. Alvarez) and there's no chance that a prosecutor is going to attempt to charge him for anything based upon that statement alone.
Re: (Score:2)
Only if you assume that the truck was delivering it to another person, and not to his home.
We can play the pedant game as well as you can. Never mind that there's a right to lie under the First Amendment (United States v. Alvarez) and there's no chance that a prosecutor is going to attempt to charge him for anything based upon that statement alone.
"it fell off a truck" brought to mind the Sopranos.
Re: (Score:2)
good job, that was the intention.
Re: (Score:1)
It doesn't matter whose truck or what it was doing, you don't get to keep abandoned property without first going through a bunch of process.
Re: (Score:2)
He never said he broke the law
In his story he describes a crime. It is as simple as that; not just in California.
And these are almost certainly trade secrets, which means his company is not entitled to use them, even if the crime committed to acquire them was relatively small.
You are assuming a crime was committed in gaining access. It is not necessarily illegal to obtain a company's trade secrets. Trade secrets are protected but reverse engineering is a normally accepted practice to determine how equipment works and doing so is an honest commercial practice and thus not illegal.
Re: (Score:2)
Are you referring to Marlinspike, or Cellebrite?
Re: (Score:1)
Yeah, who thinks that something that fell off a truck is up for grabs?
AIUI the legal remedy is to turn it in to police and after say 90 days you can claim it.
Moxie could have just said it appeared in a basket on his doorstep, swaddled in a Faraday cage.
Re: (Score:2)
AIUI the legal remedy is to turn it in to police and after say 90 days you can claim it.
Send them an non-certified letter and charge them daily storage fees just like the impound lot.
Re: (Score:2)
A defense against this charge is that he didn't intend to keep the property. :)
I'm sure he's just poking around in it in an attempt to find out where he should return it
Re:It fell off a truck (Score:5, Insightful)
Trade secrets are fair game. Only patents can be enforced (and only if he used something patented to sell his own stuff).
If you discover a trade secret, you get to keep it.
Re:It fell off a truck (Score:5, Insightful)
Re: (Score:2)
There is nothing illegal about learning or decimating trade secrets,
Disseminating, maybe?
Re: (Score:2)
Actually, in 2016, the US passed the Defend Trade Secrets Act [wikipedia.org] which may make disseminating a trade secret a federal crime.
On the other hand, I see no trade secrets being disseminated here. It's a big stretch to claim that having security vulnerabilities in your software is a trade secret.
Re: (Score:1)
Re: (Score:2)
I am pretty sure its intended to be tongue in cheek. More than likely he borrowed or someone re-sold him a unit. This almost certainly violates their shrink wrap license and he is protecting his intermediary.
Pretty sure anyone in the DAs office that reads this will assume as much.
Re: (Score:2)
Step one of reasonable effort to return it, open it up and see if someone put name and address inside. Also at this point, he has put a prominent notice online so the owner can contact him.
With the many vulnerabilities and copyright violations inside, one might argue that it isn't actually worth a plug nickel.
Really? (Score:3)
"By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. "
I also know people owning lots of electronic devices that fell off a truck.
Re: (Score:2)
IANAL, and this is pure speculation.
Re:Really? (Score:4, Insightful)
"IANAL, and this is pure speculation."
He says it himself that it is unbelievable, so we shouldn't believe it. :-)
Re: (Score:1)
Re: (Score:2)
I wonder if this is before or after he lost all his guns in a boating accident.
Re: (Score:2)
Over time, in the industry, such electronics end up in the homes of various engineers.
When you know enough of them, sometimes, some of them are willing to give them away to someone who's interested (and who they may be interested to see what is done with it)
I'm really only surprised it took this long.
Re: (Score:2)
Yes I buy stuff from Amazon too.
Re: (Score:3)
Just your conclusion is somewhat off.
makes me feel like (Score:2)
should i take a hammer to both my android and iphone and toss em in the trash and go buy a dumb flip-phone that dont do anything other than phone calls and text messsages? sure it will lack the bells & whistles but at least there wont be any personal info on it worth looking at
Re: makes me feel like (Score:1)
Citation needed.
Phone conversations are encrypted. Sure, it's not great encryption, but I don't buy that they're getting scooped up en masse. At least not since the Snowden revelations. Even when the NSA did it under the auspice of the Patriot Act(s), they were found to have done so "inappropriately".
Re: (Score:3)
Re: makes me feel like (Score:3)
No, I just don't consider the NSA the authorities. Their role is more national defense than law enforcement. And I don't believe the FBI, DEA, or local law enforcement are scooping up our phone conversations en masse. At most they have overly wide dragnets over neighborhoods under judicial authorization.
Re: makes me feel like (Score:2)
Re: (Score:2)
Phone conversations using mobile phones are encrypted over the air, not end to end. They traverse the telco's networks in unencrypted form.
Re: (Score:2)
Between the phone and tower yes, but the phone must drop encryption if the tower requests it, and the infrastrucure backend must have lawful intercept capability.
You should ask yourself this. Did anyone at the NSA go to jail for mass-tapping?
Re: (Score:2)
Re: (Score:2)
i should not trust my smartphone anymore
You never should have trusted it. What a rube.
Re: (Score:2)
Probably shouldn't trust your smart phone. But on the other hand, it's starting to look like installing Telegram is probably a good idea.
Re: (Score:2)
Fake name and fake story. Am I supposed to trust Signal more now?
While this story may certainly have some questionable elements, the name Moxie Marlinspike is hardly new...
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
I said it was fake, didn't say it was new. I'm saying that I don't trust the guy because he has given me no reason to trust him. Telling dubious stories under an assumed name is no way to gain trust, no matter how recently you picked your fake name or your bullshit story. What you are saying is that this guy hasn't been trustworthy for some time. If you want me to buy your security product then you'd better be honest from the start and always.
Re:bullshit (Score:4, Insightful)
I said it was fake, didn't say it was new. I'm saying that I don't trust the guy because he has given me no reason to trust him. Telling dubious stories under an assumed name is no way to gain trust, no matter how recently you picked your fake name or your bullshit story. What you are saying is that this guy hasn't been trustworthy for some time.
Ah, no. You are the one implying that the simple use of a pseudonym by someone in the security community, somehow automatically makes them a liar blackhat.
He's been around for quite a long time, including his name. Bullshitters, usually get called out on their bullshit, and people do not end up listening to them for long. He's been writing papers and giving security talks for almost 20 years now. If he's been deemed untrustworthy, then he's been a professional liar for a long damn time, and bullshitting some very smart people along the way.
If you want me to buy your security product then you'd better be honest from the start and always.
If you want to buy any security product from anyone, best learn how those in the industry work. Pseudonyms are hardly new, nor automatically bad or untrustworthy.
Awwshit, what am I saying? You probably knew that, right?
Yeah, it's a dubious story. But this is a hell of a lot of effort to go through, for a lie.
https://signal.org/blog/cellebrite-vulnerabilities/
Oddly enough, someone trusted him enough to let him "borrow" a fully equipped Cellebrite hardware bundle to do this research. Maybe he isn't the imaginary blackhat bullshitter that fell out of the sky yesterday.
I didn't see anything about patching phone OS (Score:2)
When can we expect Android and IOS patches that neuter Cellebrite's security bypass and data extraction tools?
Re: (Score:2, Informative)
Anyway, you really should not trust your phone. All the whining about phone encryption getting in the way of law enforcement is theater. They want you to trust your phone. Mobile phone standards are i
Re: (Score:2)
> When can we expect Android and IOS patches that neuter Cellebrite's security bypass and data extraction tools?
Cellebrite is useful to Apple and Google - they can tell the Feds to leave them alone because they have other options.
Moxie is DEFINITELY NOT going to plant Cellebrite exploits in Signal so that any phone with Signal on it will crash Cellebrite's tools. Because we can rely on the government to protect our lives, liberty, and property according to the Social Contract that we all signed.
^lies
Defense (Score:3)
When can we expect Android and IOS patches that neuter Cellebrite's security bypass and data extraction tools?
Apparently, according to M0xie, the Cellebrite software is so horrendously bad, that the simple existence of some files with imperfect content can utterly b0rk it.
A.k.a. Cellebrite devs were cretins enough to not even attempt to sanitize their input.
Also:
Re: (Score:1)
Re:Defense (Score:5, Informative)
I work with clients in telecom; and cellebrite and mce systems (both Israeli companies as it happens) make devices sold to mobile dealers to do data backup/transfers between phones. It was a bigger deal in the flip phone, RAZR, blackberry days, but is still useful today even with most people on iphones and androids.
I've seen piles of devices from both companies, and the "bizarre number of adapters" they come with. :)
The functionality is pretty impressive; the software quality is not great but not bad compared to my experience with other tools in this type of non-end-user / non-retail-consumer-facing category. It is surprisingly bloated; some of it due to including device drivers to talk to every phone under the sun).
Customer support, in my experience at least, was surprisingly good and (based on the support agent names and accents) was done from Israel; not outsourced.
I don't know how much different law enforcement versions are; i doubt much different (likely share large chunks of data processing and device driver code) with some extra "unlocking" features enabled.
I'd also not be surprised that the existence of some files can break it; anyone who has used it much to back up and restore phones has run into cases where something just wouldn't sync and would block entire categories of data from being transferred thanks to a corrupt calendar entry or contact record or whatever. It would not surprise me if you could deliberately craft data to screw with it.
In completely unrelated news... (Score:2)
...upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.
This made me laugh. They're telling law enforcement that if they hack devices with Signal, that they are opening themselves up to being hacked by Signal.
Re:In completely unrelated news... (Score:4, Funny)
Moxie's whole blog post is pure gold. I especially enjoyed this paragraph:
I definately LOL'ed at that one...
Re: (Score:1)
Yep, fair is fair! :)
Re: (Score:1)
I hadn't thought about that, neat!
Wider implication (Score:5, Insightful)
The implication is MUCH wider. Essentially if the Cellebrite device has EVER scanned a phone that had a properly prepared file on it, ALL scans the device has ever conducted or will conduct in the future are potentially tainted including adding removing or altering "found" contacts or media content.
Re: (Score:2)
There was a similar case in the late 90s. Some bit of forensic software that was widely used could be exploited to run arbitrary code by editing your filesystem in a way that Windows would ignore.
I don't know what happened, probably nothing. At least in the UK you would need some additional evidence that the files on your computer were tampered with, the mere fact that it could have happened isn't enough. The police will say they have anti virus software so were not hacked.
Re: (Score:3)
It's all too common for police to completely ignore a glaring evidentiary error and claim "nothing to see here". Unfortunately, the courts too often bend over backwards to take their word for that.
Re: (Score:2)
Finally, Celebrite et. al. eating their own dog food
What if it's a false flag? (Score:1)
The whole notion of it falling off the back of a truck at just the right place at just the right time in front of just the right person makes me think the whole thing was planted to fool Signal into thinking it was getting the keys to the kingdom when in reality, it was probably planted and right now Cellebrite is hacking into Signal's systems.
Re: (Score:2)
Or “this object fell off a truck” is another way of saying “we will not tell you how we hot hold of this object”.
Whatever is more likely.
Cellbrite also pirate Apple software (Score:2)
Cellebrite seems quite basic? (Score:3)
It seems to be a glorified dd/adb backup/iTunes backup) with a parser bolted on top (similar to PhotoRec?).
The screenshot repeatedly says that the user has to unlock the device, enable USB debugging (Android) or hit "trust this device". So a bog standard screen lock should protect at least against this version of Cellebrite.
That being said, the last paragraph of the article is very nice (including certain files in Signal for purely esthetic reasons)
FFmpeg? (Score:4, Interesting)
FFmpeg License
FFmpeg is licensed under the GNU Lesser General Public License (LGPL) version 2.1 or later. However, FFmpeg incorporates several optional parts and optimizations that are covered by the GNU General Public License (GPL) version 2 or later. If those parts get used the GPL applies to all of FFmpeg.
Read the license texts to learn how this affects programs built on top of FFmpeg or reusing FFmpeg. You may also wish to have a look at the GPL FAQ.
Note that FFmpeg is not available under any other licensing terms, especially not proprietary/commercial ones, not even in exchange for payment.
Wonder what other GPL violations there are?
A new take on "hack back" (Score:2)
I like it! Use Cellbrite on a device with Signal, lose the hardware. As the use of Cellbrite is not authorized by the device owner, this should even be legal, possibly with a warning message in the Signal TOU (not shown when Cellbrite is used, of course, but that is _their_ problem).
Not sure I understand the objection here (Score:1)
If I have this right, the complaint is that Cellebrite's unlocking software has vulnerabilities that could allow an attacker to plant false evidence on a phone.
So, basically during an investigation the Police or some other nefarious entity could plant false evidence to implicate a suspect.
In other words, planting false evidence is a possibility in this particular case just like in any other criminal investigation conducted by Police ever.
Sounds a lot more like FUD to me.