Israeli digital intelligence firm Cellebrite sells software designed to unlock phones and extract their data. As a result, its products are a favorite of law enforcement agencies across the U.S., and police frequently use them to gather evidence from seized devices. In the past, the company has received criticism for its willingness to sell to pretty much any government—including repressive regimes around the world. However, despite its mission to compromise phone security everywhere, Cellebrite would appear to have little interest in securing its own software—if you believe the CEO of encrypted chat app Signal.
In a blog post published Wednesday, Moxie Marlinspike claimed that Cellebrite’s software has atrocious security that can be easily manipulated in a number of pretty astounding ways.
“We were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present,” Marlinspike writes. “Until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.”
Among many wild claims made in the blog, Marlinspike says that because of security flaws, someone could basically re-write all of the data being collected by Cellebrite’s tools. Hypothetically, a uniquely configured file could be slipped into any app on a targeted device—allowing for the alteration of all of the data that has been or will be collected by Cellebrite’s software.
Such a file could alter data “in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures,” the blog states. It continues:
“Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.”
The blog even includes a video, spliced with scenes from the movie Hackers, that shows just how easily Cellebrite’s software can be hijacked:
On top of everything, the blog makes another pretty bold claim: code that apparently is the intellectual property of Apple appears within Cellebrite’s software—something Marlinspike says “might present a legal risk for Cellebrite and its users.” In other words, Cellebrite might be selling code that belongs to its biggest adversary.
If all of these disclosures are true, it could have pretty massive ramifications for Cellebrite. If we can assume it’s really this easy for someone to break into the company’s software and drastically alter the data that police are collecting, how certain can law enforcement be that the evidence they are collecting is actually correct? What would the legal ramifications be for the cases that have hinged on Cellebrite’s software, if its security is really so paltry? Anyone who’s been involved in a case that used this software should probably be calling their lawyer right now.
The fact that Marlinspike has very publicly outed these security concerns—and done so without prior disclosure to Cellebrite, as is standard industry practice—could definitely be viewed as a swipe, if not an outright backhanded slap to the face. It’s hard not to read all of this as some sort of retort to Cellebrite’s recent claims that it can crack Signal’s encryption—surely a claim that stuck in Marlinspike’s craw. To top everything off, the Signal CEO actually ends the blog by really making it sound like Signal plans to spam Cellebrite with some sort of malware-adjacent files in the future:
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software…We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
Shots fired, indeed. We have reached out to Cellebrite for comment and will update this story if we hear back from them.
UPDATE, 6:50 p.m., Wednesday, April 21: In response to request for comment, a spokesperson for Cellebrite sent us the following statement: Cellebrite enables customers to protect and save lives, accelerate justice and preserve privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community. Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available.