Signal discovers vulnerabilities forcing Cellebrite to stop unlocking iPhone models with its Physical Analyzer
These vulnerabilities, if exploited, would not only call into question the results of a current scan, but also past and future scans done with the same machine. It would be a prosecutor’s nightmare and a dream come true-with extra whipped cream on top-for defense attorneys. And all Signal had to do was to place a file into the Cellebrite machine.
With Signal installing the file for all of its users, this has proven to be an incentive for iPhone users to install the messaging app even if they never use it. In its aforementioned blog, Signal explained the process of kicking Cellebrite where it hurts. This is done “by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Explaining how the DLL files are used, Signal notes, “The Cellebrite iOS Advanced Logical tool loads these Apple DLLs and uses their functionality to extract data from iOS mobile devices. The screenshot below shows that the Apple DLLs are loaded in the UFED iPhone Logical.exe process, which is the process name of the iOS Advanced Logical tool.”
Signal was able to find the vulnerability by getting its hands on Cellebrite’s software, including the the powerful Physical Analyzer. Signal found the vulnerabilities it discusses in its blog.
Signal said that it would be willing to “responsibly disclose the specific vulnerabilities we know about to Cellebrite.” In return, Signal wants Cellebrite to do reveal all of the vulnerabilities that it uses to physically extract data and provide all of its services now and in the future to its “respective vendors.”