Privacy is still something worth fighting for even if the war feels lost to the hunger for data in Silicon Valley and Signal has put itself in the frontline to protect its users.
This protection starts with Cellebrite, a firm which provides digital solutions for law enforcement focused on extracting data from mobile devices.
Unfortunately, Signal claims that Cellebrite also has “authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere” on its customer list.
Worse still the messaging platform says that Cellebrite products have been linked to the persecution of journalists and activists around the world.
It’s important to note that Cellebrite doesn’t digitally intercept data but rather grabs data from a handset a user of its solution has in their physical possession.
There are two pieces of software used to extract data from a handset in this process:
- UFED – creates a backup of the target device on a Windows machine running UFED
- Physical Analyzer – software which parses files from the backup and turns it into browsable data.
Why does Signal care? Well Cellebrite claims it can now decrypt Signal conversations.
To that end and in a remarkable coincidence, Signal co-founder, Moxie Marlinspike (or Matthew Rosenfeld if you prefer) found a package containing Cellebrite software, dongles and cable adapters. It seems this package fell off of the back of a truck, what a coincidence!
Clearly Signal was going to play around with the Cellebrite gear and, well, what it found was embarrassing.
“Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious,” writes Marlinspike.
“Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present,” the Signal co-founder added.
But wait, it gets worse, for Cellebrite at least.
According to Marlinspike, a cleverly coded attack could modify all Cellebrite reports, past, present and future with no way of knowing what was changed, when it was changed or if it was indeed changed.
“This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question,” adds Marlinspike.
And yes, it’s about to get worse still.
Signal has discovered that two bundled MSI packages in the Physical Analyzer namely AppleApplicationsSupport64.msi and AppleMobileDeviceSupport6464.msi. Both of these packages are signed by Apple but, importantly, appear to have been extracted from the Windows installer for iTunes version 126.96.36.199.
Once installed these packages contain DLLs that iTunes uses to communicate with iOS devices.
“It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users,” writes Marlinspike.
So what is Signal going to do about this? For one it says it will disclose the vulnerabilities, if Cellebrite is willing to disclose the vulnerabilities it exploits to do business.
We suspect livestock will become airborne before that happens so Signal has said it’s doing something else.
“In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software,” says Marlinspike with their tongue somewhere near the cheek area.
“We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files,” the co-founder adds.
Nothing for Cellebrite to worry about then we suppose?
— Azeria (@Fox0x01) April 21, 2021