Thursday, 22 April 2021 11:06

Signal chief exposes poor security in Israeli firm Cellebrite's software Featured

Signal chief exposes poor security in Israeli firm Cellebrite's software Pixabay

An Israeli company that makes software for breaking into mobile devices including iPhones, has been publicly shamed by cryptographer Moxie Marlinspike, the creator of the Signal messaging app, who exposed poor security in the software which the company uses.

But while demolishing these so-called experts, Marlinspike, whose real name is Matthew Rosenfeld, showed that he had a quirky sense of humour, by claiming that he had gained access to the latest versions of Cellebrite's wares by noticing that they had fallen off a truck ahead of him while he was out on a walk!

Cellebrite was the company rumoured to be behind cracking into an iPhone 5C owned by a terrorist who was involved in an attack in San Bernardino, California, in 2015. That was until the Washington Post revealed recently that in reality it was a contractor hired by the Australian firm Azimuth Security who had done the job.

Marlinspike made no effort to disguise his loathing for Cellebrite, opening his post with, "They exist within the grey – where enterprise branding joins together with the larcenous to be called 'digital intelligence'.

Web Analytics
"Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, the UAE, and elsewhere."

He said some months ago, the Israeli firm had announced the addition of Signal support to their software.

Good exploits are carried out from afar and Marlinspike made sure to mention that Cellebrite's software could only work if someone else had access to a targeted mobile.

And in case that wasn't clear, he spelt it out: "Cellebrite does not do any kind of data interception or remote surveillance. They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer."

He said UFED created a back-up of the device to the Windows machine on which it was running. After this, Physical Analyzer parsed the files that had been backed up to display them in a browsable form.

"When Cellebrite announced that they added Signal support to their software, all it really meant was that they had added support to Physical Analyzer for the file formats used by Signal," Marlinspike said. "This enables Physical Analyzer to display the Signal data that was extracted from an unlocked device in the Cellebrite user’s physical possession.

"One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands."

And then came the fun bit. "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me," said Marlinspike, tongue no doubt firmly in cheek.

"As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters."

As Cellebrite aimed to parse "untrusted" data from many formats, it was operating in the space where security vulnerabilities were created. Given this, Marlinspike said, he expected Cellebrite would be ultra-cautious about the security of its own software. But he found this was not the case.

"Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defences are missing, and many opportunities for exploitation are present.=," he said.

"As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied."

He said that his research showed that it was possible to run arbitrary code on any Cellebrite machine through a specially formatted, but otherwise innocuous, file in any app on a device that was later plugged into Cellebrite and scanned.

"There are virtually no limits on the code that can be executed," Marlinspike added. He also provided more details about the security issues in Cellebrite's offerings.

His sense of humour again came to the fore at the end of his post. "In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software," Marlinspike wrote, offering a strong hint that these files would have one purpose: to mess with Cellebrite's software.

"Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News