Cellebrite Pushes Update After Signal Owner Hacks Device

Cellebrite, a well-known provider of phone-unlocking and hacking technology for law enforcement agencies, pushed an update to its products less than a week after the CEO of Signal claimed to have hacked one of the company's products.

Moxie Marlinspike, the founder of the popular encrypted messaging app Signal, explained in a blog post last week that he had obtained a Cellebrite device and found that "industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present." According to him, that allowed an attacker to embed malicious files in their app or phone—once connected to a Cellebrite unlocking device—that would then exploit the Cellebrite devices and manipulate what kind of data the device could access, potentially compromising police investigations.

On Monday, Cellebrite pushed an update to its customers.

A source who works in the forensics industry provided Motherboard with a copy of the Cellebrite announcement. Motherboard granted the source anonymity to protect them from retaliation from Cellebrite. Motherboard obtained multiple copies of the announcement. 

Two new version updates "have been released to address a recently identified security vulnerability. The security patch strengthens the protections of the solutions," the announcement read.

Cellebrite has limited what products can perform a logical iOS extraction. Mobile forensics products typically perform logical and physical extractions; with the former being the simpler of the two.

"As part of the update, the Advanced Logical iOS extraction flow is now available in Cellebrite UFED only," the announcement added.

The announcement did not specifically say whether the addressed vulnerability is one and the same as the one disclosed by Marlinspike. It does add that "Based on our reviews, we have not found any instance of this vulnerability being exploited in the real-life usage of our solutions."

"This update is precautionary, as per our security response procedures. As always, we recommend customers regularly apply the latest software version updates," the message reads.

A Cellebrite customer, who asked to remain anonymous as they were not allowed to speak to the press, said that they believed these updates were to address the vulnerabilities found by Marlinspike. 

"It appears to be an attempt to minimize the attack surface not a 'fix,'" the source said. 

Andrew Garrett, CEO of forensics firm Garrett Discovery, told Motherboard in an email that "Most law enforcement have IT administrators that monitor and work on computers within the forensic lab and based on these types of attacks they should reconsider their network architecture to avoid someone taking total control of their network. The entire ecosystem of digital forensic tools is built on egg shells."

On Sunday, an Israeli human rights lawyer sent a letter to the country's attorney general demanding that Israeli police stop using the forensic technology until it can be fully audited, Haaretz reported.

Marlinspike's blog post was the latest in escalating tensions between Signal and Cellebrite. Signal is one of the largest encrypted messaging services in the world; Cellebrite is designed to extract information off of devices including message content. Last year, Cellebrite published a blog post titled "Cellebrite's new solution for decrypting the Signal app." Marlinspike then published a blog titled "No, Cellebrite cannot 'break Signal encryption,'" and last week published the blog post describing Cellebrite vulnerabilities. 

Cellebrite did not respond to a request for comment.

Subscribe to our cybersecurity podcast CYBER, here.