The Cellebrite mobile hacking company said that after it found a way to access the Signal Secure Messaging app, Signal said in its blog that it had twisted the board the other way.
Photo: Julio Ricco / shutterstock.com
Application creator Moxie Marlinspike claims that her team acquired a Celebrite hacker device and discovered a number of vulnerabilities. He then indicated that Signal would update the application to thwart all attempts by law enforcement agencies to maintain it.
Cellebrite sells a package of “data analysis tools” called UFED that allow government services such as police to enter iOS or Android phones and extract all data from messages, call records, photos, and other data. The FBI allegedly used that hacking toolkit to unlock the iPhone in the past.
In a tweet, Signal demonstrated hacking into action
Marlinspike managed to obtain a Cellebrite UFED device, complete with a software and hardware key. He jokingly said that he saw it while walking and that “the device fell out of the truck”. (Earlier versions of the device can be purchased on eBay and other sites.)
They noticed that the device used some older software elements. Marlinspike wrote in a post on the company’s blog, “We were surprised to find that Cellebrite’s own software security received very little attention.”
The signal team found that by including “specially formatted but otherwise harmless files in any application” on a device scanned by Cellebrite, it could run code that modified the UFED report. For example, you can potentially insert or delete text, email, photos, contacts and other data without detecting unauthorized use.
Cellebrite told Ars Technica that it is “committed to constantly revising and updating its software to protect the integrity of user data and to equip customers with the best available digital intelligence solutions.”