But while demolishing these so-called experts, Marlinspike, whose real name is Matthew Rosenfeld, showed that he had a quirky sense of humour, by claiming that he had gained access to the latest versions of Cellebrite's wares by noticing that they had fallen off a truck ahead of him while he was out on a walk!
Cellebrite was the company rumoured to be behind cracking into an iPhone 5C owned by a terrorist who was involved in an attack in San Bernardino, California, in 2015. That was until the Washington Post revealed recently that in reality it was a contractor hired by the Australian firm Azimuth Security who had done the job.
Marlinspike made no effort to disguise his loathing for Cellebrite, opening his post with, "They exist within the grey – where enterprise branding joins together with the larcenous to be called 'digital intelligence'.
If there are remote execution vulnerabilities in Cellebrite, it's possible they can be triggered by files other than those created by Signal. Can an exploit be, say, stenographically embedded in a jpg cached by a browser, for example? It's likely the full scope isn't yet known.
— matt blaze (@mattblaze) April 21, 2021
He said some months ago, the Israeli firm had announced the addition of Signal support to their software.
Good exploits are carried out from afar and Marlinspike made sure to mention that Cellebrite's software could only work if someone else had access to a targeted mobile.
And in case that wasn't clear, he spelt it out: "Cellebrite does not do any kind of data interception or remote surveillance. They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer."
He said UFED created a back-up of the device to the Windows machine on which it was running. After this, Physical Analyzer parsed the files that had been backed up to display them in a browsable form.
"When Cellebrite announced that they added Signal support to their software, all it really meant was that they had added support to Physical Analyzer for the file formats used by Signal," Marlinspike said. "This enables Physical Analyzer to display the Signal data that was extracted from an unlocked device in the Cellebrite user’s physical possession.
"One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands."
And then came the fun bit. "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me," said Marlinspike, tongue no doubt firmly in cheek.
"As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters."
As Cellebrite aimed to parse "untrusted" data from many formats, it was operating in the space where security vulnerabilities were created. Given this, Marlinspike said, he expected Cellebrite would be ultra-cautious about the security of its own software. But he found this was not the case.
"Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defences are missing, and many opportunities for exploitation are present.=," he said.
"As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied."
He said that his research showed that it was possible to run arbitrary code on any Cellebrite machine through a specially formatted, but otherwise innocuous, file in any app on a device that was later plugged into Cellebrite and scanned.
"There are virtually no limits on the code that can be executed," Marlinspike added. He also provided more details about the security issues in Cellebrite's offerings.
His sense of humour again came to the fore at the end of his post. "In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software," Marlinspike wrote, offering a strong hint that these files would have one purpose: to mess with Cellebrite's software.
"Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files."
