Cellebrite Forensic Software Security Vulnerabilities

Risk:
high
Damage:
high
Platform(s):
Android OS MAC OSX Apple iOS
Advisory ID:
NGCERT-2021-0036
Version:
N/A
CVE:
N/A
Published:
April 28, 2021

Summary


Signal CEO in a successful hacking of the Cellebrite cellphone hacking and cracking tool revealed that the software lacks industry-standard exploit mitigation defenses, thereby making the software vulnerable to exploitations. This is coming after Cellebrite claimed in 2019 that its new tool unlocks almost any iOS and Android device, and in December 2020, that it could easily crack Signal’s encryption. Marlinspike accused Cellebrite of making a living from undisclosed vulnerabilities hence the decision to play it smart with the company by publicly publishing the vulnerability.

Description & Consequence


According to Moxie, the software is riddled with vulnerabilities. (The one example he gives is that it uses FFmpeg DLLs from 2012, and have not been patched with the 100+ security updates since then). It was revealed that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed. For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question. The malicious file could also, for example, insert fabricated evidence or subtly alter the evidence it copies from a phone. It could even write that fabricated/altered evidence back to the phone so that from then on, even an uncorrupted version of Cellebrite will find the altered evidence on that phone.

Successful exploits of the security flaws could allow attackers to re-write all of the data collected by Cellebrite data extraction software. In such a scenario, a uniquely configured file could be transferred into any app on a targeted device, which would lead to the alteration of all the data that the software has collected. The data will be altered in an arbitrary manner, which means removing/inserting text, photos, email, contacts, files, and other data will be possible without any detectable timestamp or ‘checksum failures.

Solution


According to Cellebrite, two new version updates have been released to address a recently identified security vulnerability. The security patch strengthens the protections of the solutions. Users are advised to update their Cellebrite software in an attempt to address the discovered vulnerabilities.

Reference


1.  https://signal.org/blog/cellebrite-vulnerabilities/ 

2. https://www.hackread.com/signal-ceo-hacks-cellebrite-cellphone-hacking-tool/

3.  https://securityboulevard.com/2021/04/security-vulnerabilities-in-cellebrite/ 

 

Revision


Related Articles