Skip to main content

Signal gives phone hacking company Cellebrite a taste of its own medicine

Signal
(Image credit: Signal)
Audio player loading…

Popular secure messaging (opens in new tab) app Signal (opens in new tab) claims to have exposed critical vulnerabilities in software made by controversial phone scanning and data extraction company Cellebrite.

The Israeli digital forensics firm is said to help law enforcement agencies break into mobile phones by exploiting undisclosed vulnerabilities. 

To make his distate for these kinds of practices known, Signal CEO Moxie Marlinspike has published a blog post (opens in new tab) on critical flaws in Cellebrite tools, instead of alerting the vendor under the responsible disclosure model.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

"We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future," wrote Marlinspike.

Easy to hack

Marlinspike posted a video highlighting the vulnerabilities in Cellebrite software, which allowed him to execute malicious code on the Windows computer used to analyze devices.

To add insult to injury, Marlinspike also claimed he was “surprised” by the lack of security in Cellebrite’s security software, adding that the tools were missing the industry-standard exploit mitigation defenses, which offered “many opportunities for exploitation.”

To illustrate the lack of prudent security measures, in his breakdown of Cellebrite’s two main tools, Marlinspike observed that they bundle FFmpeg DLLs from 2012. He pointed out that FFmpeg has reported over two hundred vulnerabilities since then.

In addition to the security blunders, Marlinspike also observed a couple of Apple copyright violations in the apps.

Update:

A Cellebrite spokesperson has since provided the following statement:

"Cellebrite is one of the most trusted names in the industry having served the law enforcement community and private enterprise for more than 14 years."

"We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound."

"Cellebrite understands that research is the cornerstone of ensuring this validation, making sure that lawfully obtained digital evidence is utilized to pursue justice."

We will continue to integrate these standards in our products, software, and the Cellebrite team, in order to deliver the most effective, secure, and user friendly tools for our customers."

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.