If you deal with forensic mobile device collection for eDiscovery, you’re probably aware of the company Cellebrite – their software is probably the most popular for unlocking mobile devices and extracting data from them. To do so, Cellebrite has been very successful in exploiting vulnerabilities overlooked by device manufacturers. Now, according to the CEO of a popular messaging app, there may be a number of potential security flaws in Cellebrite itself.
On Wednesday, Moxie Marlinspike (yes, that’s his real name), creator of the Signal messaging app, published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze devices. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device.
Stating that “[t]here are virtually no limits on the code that can be executed”, Marlinspike wrote: “For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.”
As reported by Dan Goodin in ARS Technica, Cellebrite provides two software packages: UFED breaks through locks and encryption protections to collect deleted or hidden data, and a separate Physical Analyzer uncovers digital evidence (“trace events”). To do their job, both pieces of Cellebrite software must parse all kinds of untrusted data stored on the device being analyzed. Typically, software that is this promiscuous undergoes all kinds of security hardening to detect and fix any memory-corruption or parsing vulnerabilities that might allow hackers to execute malicious code.
“Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” Marlinspike wrote. “Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”
One example of this lack of hardening was the inclusion of Windows DLL files for audio/video conversion software known as FFmpeg. The software was built in 2012 and hasn’t been updated since. Marlinspike said that in the intervening nine years, FFmpeg has received more than 100 security updates. None of those fixes are included in the FFmpeg software bundled into the Cellebrite products.
Marlinspike included a video that shows UFED as it parses a file he formatted to execute arbitrary code on the Windows device to display a benign window (which states “MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!), but if you can do that, you can imagine what else you can do.
Marlinspike said he obtained the Cellebrite gear in a “truly unbelievable coincidence” as he was walking and “saw a small package fall off a truck ahead of me.” Yes, he actually said that, but he also shows a picture of the reported package on his post. Marlinspike declined to provide additional details about precisely how he came into possession of the Cellebrite tools.
As Goodin notes, the potential security flaws in Cellebrite could provide fodder for defense attorneys to challenge the integrity of forensic reports generated using the Cellebrite software. Cellebrite representatives didn’t respond to an email asking if they were aware of the vulnerabilities or had plans to fix them.
Rob Robinson’s Complex Discovery blog provides links to several articles (including Goodin’s) discussing the potential security flaws in Cellebrite here. In response to one of those articles published by Gizmodo, Cellebrite issued the following statement:
“Cellebrite enables customers to protect and save lives, accelerate justice and preserve privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community. Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available.”
I’m sure we haven’t seen the last of this story and it certainly has significant ramifications for those who use Cellebrite for mobile device forensics and collection.
Just a reminder that we need your help! If you are a corporate legal professional, please consider taking the first ever IPRO/eDiscovery Today Corporate Legal Snapshot Survey! It has 11 questions and literally takes a minute! Link to the survey is here, webinar and report on the results coming in June!
So, what do you think? Are you concerned about the potential security flaws in Cellebrite? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.