Cellebrite is an Israeli digital intelligence firm known for selling software to crack phones and pull data from them. As such, it’s no surprise Cellebrite products are popular with law enforcement agencies in the US. Police regularly use these tools to get evidence from devices seized from suspects.
The company has drawn criticism for its willingness to sell products to almost any government, including selling software to oppressive regimes. However, despite the company’s apparent mission to compromise global cellular security, the company appears to be lacking when it comes to securing its own software. At least, if the CEO of encrypted chat app Signal is to be believed.
Moxie Marlinspike published a blog post on Wednesday claiming that the company used poor security that could be hacked easily if you know how.
“We were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present,” Marlinspike writes. “Until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.”
Marlinspike made a number of claims in the blog, including that someone could rewrite data taken by Cellebrite software by hacking into the system. Hypothetically, someone could plant a unique file into apps on a targeted device, letting one adjust all the data collected by the software – past, present, and future.
The blog says a file like this could, “[alter data] in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures.”
The blog also claims that Cellebrite software contains intellectual property owned by Apple, which could “present a legal risk for Cellebrite and its users.” The company could possibly be selling code that belongs to another company – its main competitor, at that.
If all of the claims in the blog are true, it would have drastic implications for Cellebrite. If you can assume that it is so easy to hack into the software and alter data collected by the police, we can also assume that evidence obtained using the software isn’t credible. What would be the legal ramifications if a case was built around evidence obtained using Cellebrite software if that evidence is cast into doubt?
That Marlinspike outed these security concerns so publicly – and without any disclosure to Cellebrite, which is standard practice in the industry – could make this seem like a swipe at the company. Perhaps Marlinspike hacked the system in response to Cellebrite claiming it can break Signal’s secure encryption. No matter what, the claims call for serious investigation into Cellebrite and whether or not the software can be trusted.