It is possible to hijack and manipulate Cellebrite’s phone-probing software tools by placing a specially crafted file on your handset, it is claimed.

Signal app supremo Moxie Marlinspike said in an advisory on Wednesday that he managed to get his hands on some of Cellebrite’s gear, which is typically used by cops, government agents, big biz, and authoritarian regimes to forcibly access the contents of physically seized smartphones.

Thought the FBI were the only ones able to unlock encrypted phones? Pretty much every US cop can get the job done

READ MORE

Once a device is unlocked by Cellebrite’s UFED software, its files and applications can be examined using a Cellebrite program called Physical Analyzer running on a Windows PC.

Marlinspike claims this software collection does a poor job of protecting itself when parsing malicious data extracted from handsets, to the point where it’s possible for an innocent-looking file to inject and execute arbitrary code on the host PC.

That code can then modify the analyzer’s operation, manipulate forensics reports, and so on. Essentially, you can turn the tables on whoever’s probing the phone and hamper their investigation. Here’s how Marlinspike put it:

Proof-of-concept exploits have been developed for UFED and Physical Analyzer to prove this, we’re told. Signal’s creator went on to say he’ll disclose the holes he’s found when Cellebrite discloses the vulnerabilities it exploits to forcibly unlock confiscated handhelds.

The main problem, it’s said, is that Cellebrite’s suite includes software libraries – such as FFmpeg DLLs – that haven’t been updated to remove exploitable bugs, “industry-standard exploit mitigation defenses are missing,” and “many opportunities for exploitation are present.”

Finally, and seemingly as a result of all this, Marlinspike strongly hinted that future versions of Signal may include files that mess up Cellebrite’s software:

This all comes after Cellebrite announced it had updated Physical Analyzer to parse the file formats used by Signal on unlocked devices. A spokesperson for Israel-headquartered Cellebrite was not available for immediate comment on Marlinspike’s findings. ®