Moxie Marlinspike, CEO of encrypted messaging app Signal has found vulnerabilities in the software developed by Cellebrite. The vulnerabilities found in the data extraction company’s code allow for arbitrary code execution on the device. Cellebrites products are mostly used by governments and the police to unlock any iOS and Android devices to extract data. Late last year it was announced that the Physical Analyzer also had access to data stored on Signal.
In a blogpost, Marlinspike stated that Cellebrite’s software works by parsing data that originates at an untrusted source. It accepts input that may be formatted incorrectly, which has the potential to trigger a memory corruption vulnerability. This could lead to code execution on the Cellebrite system. Marlinspike claimed: “Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present”.
More worryingly, Marlinspike discovered that Cellebrite’s software had open-source code that was not only out-dated but had also not been updated in almost 10 years.