Signal Founder Hacks Cellebrite’s Phone Hacking Tools

The secure lock screens on Android and iOS devices are supposed to keep your data secure, but there are still some ways to crack the lock. You just need a capable digital crowbar like the ones made by Cellebrite. The Israeli firm recently bragged that it has helped law enforcement retrieve data from the encrypted Signal chat app. Well, Signal founder Moxie Marlinspike had something to say about that. After getting his hands on Cellebrite’s tools, he turned the tables and hacked the hacker. 

These phone hacking tools are basically black boxes — no one outside the company is supposed to know how they work or what exploits they use to break smartphone security. Revealing that would make it possible for Apple and Google to patch the targeted exploits, thus rendering the hardware and software versions of Cellebrite’s tools obsolete. Marlinspike did not reveal where he got his Cellebrite materials — he jokes that it fell off of a truck. The bundle included various dongles and a hardware key that enabled the Windows software version of Cellebrite (above). The company sells a standalone hardware kit as well. 

According to the Signal blog, this product is supposed to exploit unknown software bugs in smartphones, but it’s crawling with bugs itself. By feeding Cellebrite a few tweaked files, it’s possible to modify the data reported to users. Marlinspike says this hack can even alter the data reported by the system when scanning future devices. This calls into question the reliability of the evidence gathered with Cellebrite technology. 

Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite’s software:

“Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective”https://t.co/DKgGejPu62 pic.twitter.com/X3ghXrgdfo

— Signal (@signalapp) April 21, 2021

To illustrate this, Marlinspike fed Cellebrite a file that opened it up to running arbitrary code. You can do almost anything with that power, but Marlinspike just used it to display a custom message in the software. Going forward, Signal will download some mysterious files to place in app storage. Marlinspike called this “completely unrelated news,” but the intention is clear. These files are probably going to prank anyone who tries to read Signal data on Cellebrite systems. 

The technology from Cellebrite and competitors like GrayKey are a favorite of law enforcement in the US, but these devices are also popular with authoritarian regimes in places like Russia, Turkey, and Belarus. This has made them popular targets for hackers and privacy advocates. Marlinspike has committed to responsibly disclosing the vulnerabilities he discovered in Cellebrite’s software, but he’s got a condition: Cellebrite has to do the same with the exploits it uses to hack phones. That doesn’t seem very likely.

Now read: