Moxie Marlinspike, the founder of the popular encrypted chat app Signal, claims to have hacked devices made by the phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details of new exploits for Cellebrite devices, but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse.
"We were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."
Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: “By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters."
Cellebrite devices are used by cops to unlock iPhones in order to gather evidence from encrypted devices. This can include photos and messages on the device, potentially including Signal messages.
Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.
To be clear, this is a pretty ballsy show of force. Marlinspike published details about the exploits outside of normal "responsible disclosure" guidelines and suggested that he is willing to share details of the vulnerabilities as long as Cellebrite does the same with all the bugs the company uses to unlock phones, "now and in the future."
A message to Cellebrite posted by Signal on Twitter. (Image: Motherboard)
In a slightly nebulous final paragraph. Marlinspike said that future versions of Signal will include files that "are never used for anything inside Signal and never interact with Signal software or data," perhaps implying these could be designed to tamper with Cellebrite devices.
We reached out to Signal to ask them to clarify what Marlinspike meant exactly in the last paragraph of his blog post.
Do you work for Cellebrite? Or do you research vulnerabilities on iPhones and Android devices? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at email@example.com, or email firstname.lastname@example.org
Cellebrite did not immediately respond to a request for comment.
In their analysis of the device, Signal researchers also found that it contained packages signed by Apple, and likely extracted from the Windows installer for iTunes version 126.96.36.199. According to Marlinspike, this could be a copyright violation.
Subscribe to our cybersecurity podcast, CYBER.