The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission. 

Signal booby-traps its own encrypted messaging app to hack its hackers

Signal found hacking company Cellebrite’s hardware tools in a ‘truly unbelievable coincidence’

Adam Smith
Thursday 22 April 2021 18:54 BST
Comments
Signal app hacks the hackers by taking over Cellebrite software

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Encrypted messaging service Signal has turned the tables on data extraction company Cellebrite, seemingly booby-trapping its own app to hack the hackers.

The messaging company published a blog post that reported numerous alleged vulnerabilities in Cellebrite software, which uses physical access to a smartphone to breach its contents.

Signal was able to exploit holes in Cellebrite’s code to execute its own software on Windows computers used by Cellebrite. “There are virtually no limits on the code that can be executed,” Signal CEO Moxie Marlinspoke said.

Cellebrite make two products - UFED and Physical Analyzer - that have previously been used by authoritarian regimes including Russia and Belarus, the police in Myanmar, and the FBI in the United States attempting to breach iPhones.

UFED creates a backup of the device onto a Windows computer, while the Physical analyzer parses the files in a way that is browsable for the user.

Cellebrite infamously claimed that they were able to breach Signal’s encryption – one of the most secure available – in December 2020, but Signal claims the company only added support to Physical Analyser for the file formats used by Signal, and thus were overstating their actual abilities.

“One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands,” Marlinspike writes.

Exacting retribution by a “truly unbelievable coincidence”, Marlinspike writes, Signal gained access to Cellebrite’s hardware tools.

“I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite”, Marlinspike writes.

It appears Signal was able to execute code using a “specifically formatted but otherwise innocuous file” in an app that’s scanned by Cellebrite – such as Signal, for example - to take over Cellebrite’s software.

“Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices”, the post continues.

“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.

“In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software”, Signal adds.

“We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.”

The Independent has reached out to Signal for more information about the significance of these files, and how it came to access Cellebrite equipment, but the messaging app did not respond to a request for comment by time of publication.

Signal also alleges that Cellebrite uses two MSI installer packages that are digitally signed by Apple, but appear to have been extracted from the Windows installer of iTunes 12.

“It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users”, Signal writes.

Apple did not respond to a request for comment from The Independent before time of publication. The Independent also asked Cellebrite for more information about its possible vulnerabilities, as well as its Apple licenses, but the digital forensics company also did not respond before time of publication.

“We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound”, Cellebrite said in a statement to The Independent.

“Cellebrite understands that research is the cornerstone of ensuring this validation, making sure that lawfully obtained digital evidence is utilized to pursue justice.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in