Summary List Placement
Encrypted messaging app Signal dealt a major blow to Cellebrite, a company that specializes in breaking into locked phones.
Moxie Marlinspike, Signal’s CEO, published an explosive blog Wednesday detailing how he and his team managed to hack software from digital forensics firm Cellebrite.
Cellebrite provides software capable of breaking into locked phones and extracting data whilst hooked up to a secondary device. It is popular with police forces, who ship off locked phones for Cellebrite to unlock for thousands of dollars.
Cellebrite advertises itself as being able to crack into high-end phones that have sophisticated security, like iPhones.
But according to Marlinspike’s analysis of Cellebrite’s tech, its software is itself full of security vulnerabilities.
Marlinspike wrote, presumably tongue-in-cheek, that he obtained a Cellebrite-branded package containing dongles, its latest software, and cables after he saw it “fall off a truck ahead of me.”
Analyzing the software, he found that it was possible to hack Cellebrite’s software by leaving specially designed lines of code inside apps on a phone that’s being targeted, like booby traps.
This allowed Marlinspike to not only create fake data for scanning, but also modify old reports and potentially tamper with future ones by adding or removing data including text, emails, and photos.
“This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question,” he wrote.
Read more: 14 cybersecurity startups that raised gobs of funding and became unicorns since the start of the pandemic
Marlinspike also said he found files that implement iTunes functionality in Cellebrite’s software, and said he found it unlikely that Apple had granted Cellebrite a license.
“It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users,” he …read more
Source:: Business Insider