Signal says Cellebrite phone
Cellebrite was just put on notice.
The Israel-based company, which makes smartphone-hacking tools beloved by U.S. law enforcement and oppressive regimes around the world, failed to properly secure its own software — potentially compromising the integrity of all data gathered by its customers in the process.
That's according to a brutal blog post from Signal founder Moxie Marlinspike, published Wednesday on the official Signal blog, which alleges serious security flaws in Cellebrite's software.
"[We] were surprised to find that very little care seems to have been given to Cellebrite's ownsoftware security," he writes. "Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present."
But wait, there's more. Much more.
Moxies writes that it is possible for a specially configured file — for example, say, in the Signal app — to surreptitiously alter all past and future data collected by Cellebrite tools. Such a file would essentially render the Cellebrite software worse than worthless, as it could actively corrupt any data already pulled from confiscated smartphones.
In other words, if such a file were included in an app on a smartphone, and that phone was connected to Cellebrite software, then all bets are off.
"If they add the file to Signal, that would be interesting... as yes it would mean that they could probably nuke/hack/infect Cellebrite," explained Patrick Wardle, the creator of Mac security website and tool suite Objective-See.
We reached out to Cellebrite, and asked if the company now considers phones loaded with Signal a risk.
"Cellebrite is committed to protecting the integrity of our customers' data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available," read the company's reply in part.
A video, included in the Signal blog post and incorporating scenes from the 1995 movie Hackers, shows one relatively harmless example of a potential exploit: a pop up on a Cellebrite device that reads, "MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!"
Of course, if this were anything other than a demo, there likely wouldn't be a notification. And the outcome might be more serious than a line from Hackers.
"Any app could contain such a file," writes Moxie, "and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."
Dan Tentler, the executive founder of the security company Phobos Group, explained over email that Moxie's findings mean that it's now incredibly risky for government agents to use Cellebrite's products.
"What agency would you like to exploit?" he asked rhetorically. "Bait one of them into reading a phone loaded with the exploit, and have the exploit then compromise the computer the Cellebrite platform is plugged into after the fact to retrieve the files."
"What agency would you like to exploit?"
Notably, especially for Cellebrite and its customers, Moxie hints that future versions of Signal might incorporate the type of file he describes.
"In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage," he writes. "These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software."
But will Signal actually do it?
"I think it's more likely the [Signal] article [is meant to] bring awareness to the issue, and I would be surprised if the exploit / file is included," wrote Wardle.
Tentler, for his part, sees Cellebrite's alleged failure to get its security house in order as a part of a larger trend.
SEE ALSO: You can buy used Cellebrite iPhone hacking tools for cheap on eBay
"Cellebrite is just another vendor in the security space who makes a 'security product' but 'does no security themselves,'" he wrote. "There will be many more of these to come — giving people a false sense of security pays big money, and a gigantic majority of the 'information security industry' falls into this category."
Hack the planet, indeed.
UPDATE: April 21, 2021, 1:59 p.m. PDT: This story was updated to include comment from Patrick Wardle, the creator of Mac security website and tool suite Objective-See.
UPDATE: April 21, 2021, 3:39 p.m. PDT: This story was updated to include Cellebrite's comment.
-
23 Peculiar Places of 2023Couple had romantic Valentine's Day dinner... on a New York City subway platformArgentina will not take Australia lightly: ScaloniIn some ways, it got better for rideWhere to pre营造有序竞争的市场环境Prosecutors summon former head of scandalMcDonald's reVenture Missionaries炒着煮着凉拌怎么做都好吃的汕尾粉签,你吃过吗?丨汕尾人必转短视频③
下一篇:Project 2025 Comstock Act: Trump’s new abortion comment exposed.
- ·Ruling bloc divided on foreign nannies' pay
- ·[Graphic News] Birthgiving age climb up over decade
- ·Nissan's freaky AR concept would project friends in your car, make it look sunny outside
- ·Amazon sent 1,000 audio recordings of an Alexa user to the wrong guy
- ·29 Dive Bars, Saloons, and Taverns Where the Vibe Is Unbeatable
- ·Palestinian flags fly at Qatar World Cup
- ·Palestinian flags fly at Qatar World Cup
- ·Police fails to enforce autopsy on deceased farmer
- ·What to expect from Apple's September event: iPhone 16, Apple Watch 10, and more
- ·Professor Willow from 'Pokémon Go' needs to be immediately sacked
- ·India will now greet tourists with a local SIM card on arrival
- ·抓教研 促科研保质量
- ·[Exclusive] Samsung unsure of Suga's future as brand ambassador: source
- ·Seoul to call NK regime 'enemy' again in defense white paper: sources
- ·President Park proposes constitutional revision
- ·US has 'strong support' from majority of UNSC members against NK provocations: mission
- ·Project 2025 Comstock Act: Trump’s new abortion comment exposed.
- ·North Korea fires 2 short
- ·我市遭遇今夏最强大暴雨天气
- ·韶关南雄市2023年度广东省“百千万工程”考核获评优秀
- ·Unionized hospital workers pull out from strike
- ·Riots in Brussels after Belgium lose
- ·Brawn retires from Formula One
- ·Spotify says the 'Star Wars' Cantina Band song is people's #1 sex track
- ·全国土壤普查办抽验组到广东开展土壤普查质量抽验
- ·LG shows what that crazy 18:9 phone screen can do
- ·Ruling bloc divided on foreign nannies' pay
- ·突出“四个重点”推动联系帮扶村科学发展
- ·Basketball team refuses to play without its female members, forfeits season
- ·Keep the loneliness at bay with Lovot’s $6,000 friendship robot
- ·提前谋划部署准备秋季开学
- ·McDonald's re
- ·N. Korea claims successful test of 'high
- ·Van Gaal eyes emotional World Cup run
- ·How to unblock Xnxx for free
- ·Journeyman Duke spearheading Australia in Qatar