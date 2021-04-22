Popular secure messaging app Signal claims to have exposed critical vulnerabilities in software made by controversial phone scanning and data extraction company Cellebrite.

The Israeli digital forensics firm is said to help law enforcement agencies break into mobile phones by exploiting undisclosed vulnerabilities.

To make his distate for these kinds of practices known, Signal CEO Moxie Marlinspike has published a blog post on critical flaws in Cellebrite tools, instead of alerting the vendor under the responsible disclosure model.

"We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future," wrote Marlinspike.

Easy to hack

Marlinspike posted a video highlighting the vulnerabilities in Cellebrite software, which allowed him to execute malicious code on the Windows computer used to analyze devices.

To add insult to injury, Marlinspike also claimed he was “surprised” by the lack of security in Cellebrite’s security software, adding that the tools were missing the industry-standard exploit mitigation defenses, which offered “many opportunities for exploitation.”

To illustrate the lack of prudent security measures, in his breakdown of Cellebrite’s two main tools, Marlinspike observed that they bundle FFmpeg DLLs from 2012. He pointed out that FFmpeg has reported over two hundred vulnerabilities since then.

In addition to the security blunders, Marlinspike also observed a couple of Apple copyright violations in the apps.

Cellebrite did not respond immediately to our request for comment.