[HN Gopher] Exploiting vulnerabilities in Cellebrite UFED and Ph...
___________________________________________________________________
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer
Author : derekerdmann
Score : 696 points
Date : 2021-04-21 16:29 UTC (6 hours ago)
(HTM) web link (signal.org)
(TXT) w3m dump (signal.org)
| [deleted]
| sitzkrieg wrote:
| i find it remarkably unbelievable someone would put a cellebrite
| bag in the back of a truck given the price alone.. and the timing
| too. sure
| NullPrefix wrote:
| I bet the tool was bought from a supplier but Signal team can't
| disclose it because source protection.
| novok wrote:
| With all the recent BLM protests going on, I wouldn't be
| surprised if it was acquired by an activist, even an activist
| who works in the police force!
| op00to wrote:
| This is irresponsible and inflammatory. Has nothing to do
| with the discussion. Please stop.
| marcopet wrote:
| "fell off the back of a truck" is an idiom [1]. It's not meant
| literally.
|
| [1] https://www.phrases.org.uk/meanings/fell-off-the-back-of-
| a-t...
| supergirl wrote:
| they actually put it a photo of it on the street too
| ampdepolymerase wrote:
| It's like "a little bird told me".
| myself248 wrote:
| The "parallel construction" of the civilian world.
| sitzkrieg wrote:
| oh ok thats a new one for me obviously, but the street photo
| got me. lol
| spoonjim wrote:
| "Fell off the back of a truck" is slang for "obtained through
| illicit means." It comes from the excuse that criminals used to
| give when caught with stolen property: I didn't steal it, it
| just fell off a truck.
| sitzkrieg wrote:
| thank you for clarifying, english is not my main language and
| that was taken at face value. The going on a walk and picture
| was too good
| motohagiography wrote:
| Wow, that video made my day. This bit is key:
|
| > "For example, by including a specially formatted but otherwise
| innocuous file in an app on a device that is then scanned by
| Cellebrite, it's possible to execute code that modifies not just
| the Cellebrite report being created in that scan, but also all
| previous and future generated Cellebrite reports from all
| previously scanned devices and all future scanned devices in any
| arbitrary way (inserting or removing text, email, photos,
| contacts, files, or any other data), with no detectable timestamp
| changes or checksum failures. This could even be done at random,
| and would seriously call the data integrity of Cellebrite's
| reports into question."
|
| They've may have just got a lot evidence collected using
| Cellebrite from phones with (or without) Signal installed on them
| thrown out of court.
|
| I don't recall the details, but there was an absolute
| unsubstantiated speculative and surely fictional rumor of at
| least one entirely theoretical zero-day non-gif formatted image
| file that exploited a similar class of vulnerability in what was
| probably not a market leading tool used tangentially for the same
| purposes, floating around well over a decade ago as well.
|
| I for one am very glad that these hypothetical issues have almost
| surely been fixed.
| marcodiego wrote:
| > One way to think about Cellebrite's products is that if someone
| is physically holding your unlocked device in their hands, they
| could open whatever apps they would like and take screenshots of
| everything in them to save and go over later. Cellebrite
| essentially automates that process for someone holding your
| device in their hands.
|
| Aren't Cellebrite products/services more advanced than that? I
| mean don't they use publicly unknown zerodays to extract data
| from locked phones?
| [deleted]
| sodality2 wrote:
| They are more advanced typically than just extracting data from
| a phone. Not sure to which extent they advertise it brazenly
| though. Fairly certain they blog about it a lot
| carstenhag wrote:
| the cellebrite ambassador we talked to (as private company)
| basically bragged they were the ones that unlocked the San
| Bernadirno iPhone. I'm sure towards government officials and
| Law Enforcement they brag even more.
| saagarjha wrote:
| But they weren't, that was Azimuth: https://www.washingtonp
| ost.com/technology/2021/04/14/azimuth...
| saagarjha wrote:
| AFAIK there are various "levels" of Cellebrite's products, from
| "I'm a phone shop and I want something help me make a phone
| backup so I can restore it" all the way to "tools to break into
| locked iPhones".
| amluto wrote:
| Now if only I could use legitimate tools to access _my own_
| Signal data on an iOS device.
| NullPrefix wrote:
| Have you tried going out for a walk and looking for trucks with
| small packages falling off?
| gruez wrote:
| doesn't an itunes backup contain all the app data?
| amluto wrote:
| Not obviously for Signal
| mike_d wrote:
| I own a Cellebrite, and yeah you are right. The Cellebrite
| box is nothing other than a phone backup tool. The nice thing
| it does is implement every backup sync protocol for every
| version of every mobile OS so you don't have to spend a whole
| day trying different combinations of iTunes and such.
|
| The "Physical Analyzer" is just a forensics tool. There are
| dozens of competitors out there that will take a phone and
| surface the things that might be interesting in a court case
| or law enforcement investigation.
|
| The product Signal didn't talk about - which I think is the
| one they are upset about - is Cellebrite Premium. That is
| their service where law enforcement can send locked or
| damaged devices to their lab and get back a an image to load
| into PE. However in 99% of cases devices are either accessed
| because they are running old software with public
| vulnerabilities, or using the magic phrase "would you mind
| unlocking your phone so we can clear this matter up?"
| paddlesteamer wrote:
| > In completely unrelated news, upcoming versions of Signal will
| be periodically fetching files to place in app storage. These
| files are never used for anything inside Signal and never
| interact with Signal software or data, but they look nice, and
| aesthetics are important in software.
|
| I wish I could see those files in action...
| barbazoo wrote:
| I don't get it, can anyone elaborate on what they are talking
| about there?
| rodgerd wrote:
| Signal is going to start attacking third-party tools once
| it's installed on your phone.
|
| It's as though Theo decided that OpenSSH should respond to
| portscanners by trying to pwn the source systems.
| TheGeminon wrote:
| They are implying that future versions of Signal will drop
| random files on your phone that "may or may not" cause damage
| to Cellebrite systems.
|
| They are basically putting the threat out that if you use
| Cellebrite on Signal in the future, you might not get the
| data you expect, and at worst, it may corrupt the
| report/evidence.
|
| This also brings into question the chain of custody, as an
| untrusted device being imaged can alter reports of unrelated
| devices.
| franga2000 wrote:
| Damn, a chain of custody where the thing in evidence is
| also part of not only its own chain but also those of other
| evidence acquired afterwards? I can't imagine what kind of
| case law exists around that, but I'm sure it's hilarious!
| tony101 wrote:
| I wonder if the intention here is to deter Cellebrite from
| parsing Signal files? Or to pressure them into fixing their
| security vulnerabilities?
| kbenson wrote:
| _Files will only be returned for accounts that have been
| active installs for some time already, and only
| probabilistically in low percentages based on phone number
| sharding. We have a few different versions of files that we
| think are aesthetically pleasing, and will iterate through
| those slowly over time._
|
| Pretty sure it's the former, since the above is a way to
| ensure that Cellebrite can't just gather all implied exploit
| files and make sure they've got those specific problems all
| patched. This is, quite literally, an informational attempt
| at guerilla/asymmetric warfare, where Signal is trying to
| make engaging with them too costly, while also making a few
| blows quite a bit above their weight level. Cellebrite now
| has to decide whether to keep after this adversary that both
| is hard to pin down, ambushes them, and has shown it can hit
| them really hard where it matters (credibility, and thus
| their pocket book).
| Zarathust wrote:
| This indeed looks like a FUD statement, implying that they
| can have an infinite amount of potential vulnerabilities.
| Realistically though, writing parsers that do not yield
| control of your whole device is not that complex. The
| people exploiting iOS zero days can certainly do it.
| da_big_ghey wrote:
| the signal are capable for finding more exploit with more
| time. important piece is that exists now a reasonable
| doubt on data from the celebrite, so it are not so good
| for evedince.
| kevinmchugh wrote:
| It's not that hard but neither is shipping patched
| versions of ffmpeg. This company will have some catching
| up to do.
| hprotagonist wrote:
| or just flipping them off, which seems OK too.
| jjoonathan wrote:
| Nah, Cellebrite will panic for a bit at the possibility of
| facing repercussions but ultimately not commit enough effort
| to change anything. Cellebrite's counterparties, however,
| might not be so complacent.
| supergirl wrote:
| signal wants to pick a fight with a grey company that gets
| money for cracking apps? not a good idea
| da_big_ghey wrote:
| one could view make of an e2e encrypt app that is cause
| problem for polices as "not a good idea" but there must be
| some person for to do it.
| Ansil849 wrote:
| I don't understand the seeming incongruity between these two
| statements:
|
| On the one hand:
|
| > One way to think about Cellebrite's products is that if someone
| is physically holding your unlocked device in their hands, they
| could open whatever apps they would like and take screenshots of
| everything in them to save and go over later. Cellebrite
| essentially automates that process for someone holding your
| device in their hands.
|
| But on the other hand:
|
| > We are of course willing to responsibly disclose the specific
| vulnerabilities we know about to Cellebrite if they do the same
| for all the vulnerabilities they use in their physical extraction
| and other services to their respective vendors, now and in the
| future.
|
| If UFED just copies data from unlocked phones, why would they be
| using vulnerabilities to do so?
|
| I guess my question is, is Cellebrite capable of copying locked
| devices, or more to the point - has vulnerabilities to unlock
| devices without knowing the access PIN?
| g_sch wrote:
| Based on the post, it sounds like there's some data parsing
| going on (possibly to present the data in a user-friendly
| way?), and the parsing step uses outdated versions of software
| (such as ffmpeg) which have well-documented vulnerabilities in
| them.
| md_ wrote:
| Cellebrite claims,
|
| "Lawfully access locked devices with ease Bypass pattern,
| password or PIN locks and overcome encryption challenges
| quickly on popular Android and iOS devices"
|
| https://www.cellebrite.com/en/ufed/
| supergirl wrote:
| they could use vulnerabilities to extract more data. probably
| it's common to do some obfuscation of data which celebrite
| might have reverse engineered.
| chonkywonk wrote:
| Apple uses Cellebrite devices in its own stores.
| Nextgrid wrote:
| So I wonder, why disclose this?
|
| This will just prompt Cellebrite to improve its security process
| and sandbox the entire tool.
|
| If they wanted to destroy the credibility of the tool, using the
| vulnerabilities to silently tamper with the collected data or
| even leaking it online would be a much better option and hit them
| without any warning, not only jeopardizing those cases but
| forever casting doubt on not just Cellebrite but their competitor
| tools.
| faitswulff wrote:
| Signal may have had countermeasures in place long before the
| blog post, as well.
| godelski wrote:
| Any court case where Cellebrite's tools have been used are now
| in jeopardy since the defence can just say that they were
| hacked by someone else. There's now reasonable doubt that
| Cellebrite can't be trusted. This damages their reputation with
| governments too.
| wglb wrote:
| This is unlikely to be the case, despite the vulnerabilities
| that are described.
|
| The process of e-discovery is rife with risks of this sort.
| When you forensically collect data from a random set of
| devices from a party that may or may not have porn, HIPAA,
| GDPR, sample viruses, malware, who know what all.
|
| The short version of it even if the inhaling of this data
| crashes the device, there are mitigations and protections
| that will allow the evidence to be ultimately produced.
|
| A crash of the windows host in collection will not invalidate
| the case.
|
| disclosure: ex-CSO of Relativity, leading provider of
| e-discovery software.
| Zak wrote:
| The vulnerability claimed here doesn't necessarily _crash_
| the computer running the software. It runs arbitrary code,
| and said code is able to modify the data Cellebrite
| extracts. It is not clear whether it is possible to detect
| whether data collected in the past is compromised.
|
| There may be mitigations, but without knowing the full
| details of the exploit, it sounds a lot like reasonable
| doubt to me. A good lawyer would spin it exactly that way,
| putting any cases without sufficient corroborating evidence
| in jeopardy.
| wglb wrote:
| If the data is off on another server, it seems unlikely
| that past cases can be compromised.
|
| There are a whole set of rules about challenging
| evidence, including electronic evidence. Keep in mind
| that the other side gets a crack at it also. It is
| unlikely that the whole case would be thrown out because
| of a corrupted file. Reasonable doubt is not part of the
| forensic process--this is what a jury needs to consider
| to render a verdict.
|
| As pointed out elsewhere, many uses of this tool are
| extrajudicial.
| tptacek wrote:
| Not really. The same circumstances exist for almost all
| digital evidence. Of course, a lot of Cellebrite usage is
| extrajudicial already.
| godelski wrote:
| If you're failing some basic security it isn't going to
| give much confidence.
|
| But also users don't know now if their systems will explode
| if they try to gather Signal (or other app) data.
| tptacek wrote:
| The quality of forensics software is extremely low; a
| similar story was once written about EnCase, and had zero
| impact on any legal case anywhere.
| wglb wrote:
| As in https://www.securityweek.com/forensics-tool-flaw-
| allows-hack...., yet it is used in cases large and small,
| civil, criminal, federal state.
| tptacek wrote:
| Matt Blaze did some research on this, and it seems to
| turn out that when you put an argument like this in front
| of a judge or jury, ultimately you have to back it up
| with evidence that it actually happened; it's not enough
| to say that the potential existed. Which makes sense,
| because the potential exists for a lot of stuff,
| including stuff we don't often talk about.
| polar wrote:
| https://insights.sei.cmu.edu/blog/forensics-software-and-
| ora... ?
| tptacek wrote:
| Whether Cellebrite is secure or not has really not much impact
| on Signal. Shore up Cellebrite's security, don't, either way,
| pretty much same threat to users. But calling them out like
| this could force them to placate _their_ customers by spending
| money on software security --- something they apparently haven
| 't been doing --- and inflicting costs on your adversary is
| good praxis.
| po wrote:
| Sandboxing doesn't fix the problem. The problem isn't the same
| as a consumer app where you're trying to protect the OS from
| being rooted. Their problem is they need to protect the
| integrity of the report it generates because that's the thing
| that makes them money.
|
| _edit:_
|
| One thing they could try to do is to sandbox the parser itself
| to lower attack surface area... but the damage is done here and
| I really doubt they will win a security tit-for-tat with
| Signal.
| Zarathust wrote:
| It seems to be a retaliatory measure against this:
|
| > When Cellebrite announced that they added Signal support to
| their software, all it really meant was that they had added
| support to Physical Analyzer for the file formats used by
| Signal.
|
| Your case is valid about potential judiciary impact, but it
| would require for Signal to monitor cases involving Cellebrite
| and step forward to help the defense while unprompted to do so.
| Furthermore, Cellebrite clients seems to include entities that
| do not care so much about a fair trial.
| eli wrote:
| For one thing, it could otherwise waste a lot of time for the
| poor white hat hacker who tries to figure out why this oddly
| formatted file suddenly exists in the app data.
|
| And it doesn't destroy the credibility of the tool to silently
| mess with its data. People have to know it's happening.
| kbenson wrote:
| > sandbox the entire tool.
|
| Sandboxing doesn't really help. The problem isn't that the tool
| is used to infect the rest of the system, but that the tool
| itself is compromised, the reports it generates are
| compromised, and and past reports may be compromised. Unless
| you're pushing that data outside the sandbox (which is a hole
| in the sandbox, and while much more limited might also be an
| exploit vector or a way to cause problems in the data) it's
| still fair game if the sandboxed tool is compromised.
|
| There's multiple reasons to disclose it. First, because as
| another comment noted it attacks the credibility of the
| company, and credibility is very important for tools used in
| court.
|
| Second, because their main goal is to protect Signal, not
| attack Cellebrite. Making Signal a problem to attempt to gather
| data about will possibly make them just blacklist Signal as an
| app they gather for. This could be temporary, but since Signal
| alluded to many exploits and that they have a bunch queued up
| for the future, it will always be a risk for Cellebrite to
| attempt to gather info from Signal, so they might just continue
| to skip it.
| acdha wrote:
| This is too quick a dismissal: if they sandboxed each
| extraction tool they'd be more likely to be able to say that
| a compromised tool did not compromise the entire system or
| data collected by other tools. This is exactly why programs
| like browsers, messaging clients, etc. have moved things like
| media decoders into separate processes, especially since
| those tools can be sandboxed quite aggressively whereas a
| monolithic program will use a fair number of different
| permissions.
| choppaface wrote:
| The public disclosure about the Apple DLLs could potentially be
| used to drag Apple into any legal case between somebody versus
| Cellebrite. The disclosure needs to be public versus private or
| under seal or whatever to absolve the Cellebrite counterparty
| of any liability from reverse engineering. Suddenly Apple is
| now in potential collusion with Cellebrite. Or maybe not. This
| public disclosure makes the threat of Discovery a bit less
| toothless.
|
| IANAL but I could imagine Cellebrite has existing or pending
| litigation where this disclosure upsets their position.
| supergirl wrote:
| does cellebrite appear in any legit court cases? from this
| blog post it sounds like only "authoritarian" regimes use it.
| i doubt it would appear in any legit case. it's a shady tool.
| they'll use it to gather info but will not present this info
| directly in court, instead use it to gather legitimate proof,
| if needed.
| redleader55 wrote:
| I think they mention Apple in an attempt to force them to
| defend their copyright, else they risk losing it.
|
| I assume Apple will choose to file for copyright infringement
| than risk being accused of collusion and lose the copyright
| on that iTunes or parts of it.
| seba_dos1 wrote:
| That's not how copyrights work, you're confusing it with
| trademarks.
| Gaelan wrote:
| Right, but Apple now has to choose between suing
| Cellebrite and (tacitly) condoning their behavior. Not
| the same as losing the copyright, for sure, but still.
|
| Not clear which the parent was talking about. Maybe both?
| spinny wrote:
| Probably disclosure is the best option.
|
| Silently tamper with the data might cross a legal line. doing
| this might put at risk current or past cases where there is a
| legitimate reason to use this sort of tool.
|
| Privacy can be hard. While i 100% defend everybody has the
| right to privacy, i can also see the need for the capability to
| break it. Maybe the answer for this is a very tight regulation
| around the uses of this kind of hardware/software, but that
| regulation would have to keep up with the pace of technology
| xchip wrote:
| Any idea what this means? It is at the bottom of the article:
|
| "In completely unrelated news, upcoming versions of Signal will
| be periodically fetching files to place in app storage. These
| files are never used for anything inside Signal and never
| interact with Signal software or data, but they look nice, and
| aesthetics are important in software.[...]"
| tptacek wrote:
| They're alluding to the fact that they can randomly pop
| Cellebrite installations by planting anti-Cellebrite malware on
| their users phones.
| po wrote:
| This is truly a hacker's retort.
|
| It attacks Cellebrite's ability to operate by casting doubt on
| the reports generated by the product that their customers may
| wish to use in court.
|
| It places them in legal peril from Apple, and removes any cover
| Apple would have to _not_ take legal action. (I assume someone at
| Apple knew they were shipping their DLLs?)
|
| It makes a thinly-veiled threat that any random Signal user's
| data may actively attempt to exploit their software in the future
| and demonstrates that it's trivial to do so.
|
| _edited to add a bonus one:_
|
| Publish some data about what they are doing to help create a
| roadmap for any other app that doesn't want their data to be
| scanned.
| upofadown wrote:
| I really seriously doubt that anyone would ever advance the
| idea that Signal had deliberately framed them by creating false
| data on their phone. I don't see this as much more than
| pointing out that Cellebrite has vulnerabilities, just like the
| ones they exploit.
| zaphar wrote:
| You wouldn't imply that Signal had framed you. You would
| imply that someone else had framed you using the same
| vulnerabilities as Signal has now indicated exists. i.e. You
| can't trust Cellebrite because it's now known to be trivial
| to subvert their software. It's also difficult for Cellebrite
| to prove that there aren't remaining vulnerabilities in their
| software since Signal didn't disclose the problems they found
| and won't do so unless Cellebrite discloses the exploits they
| claim to be using in Signal.
| upofadown wrote:
| You can't just claim an unknown entity framed you and hope
| to get anywhere. Heck, you could just as well claim that
| Cellebrite themselves had it in for you.
|
| Cellebrite has never claimed any particular exploits in
| Signal. Signal is exploitable in this particular way for
| entirely obvious and common reasons.
| rOOb85 wrote:
| It's about casting doubt on their software and it's
| trustworthyness.
|
| In computer forensics it's ALL about being able to
| verify, without a shadow of doubt that something is what
| they say it is. Chain of custody rules everything. This
| blasts a huge gaping hole in all that. He's proven that
| chain of custody can be tampered with and undetected.
| Files can be planted, altered or erased. Reports can
| altered. Timestamps can be changed. The host OS can be
| exploited. It calls all past and future cellbrite reports
| into question. Cellbrite can no longer guaranty their
| software acts in a consistent reliable verifiable way. It
| leaves doubt.
| wglb wrote:
| > In computer forensics it's ALL about being able to
| verify, without a shadow of doubt that something is what
| they say it is
|
| Mostly. The other side gets all the evidence that the
| opposing side sees. They both get a chance to review it.
|
| > Chain of custody rules everything.
|
| Agree.
|
| > This blasts a huge gaping hole in all that.
|
| Not really. The analysis goes in two steps. One is to
| pull all the data from the phone, in a chain-of-custody
| manner. In an adversarial case, both sides can do this.
|
| The collection and analysis go into two steps. First is
| moving the data to windows box. Next is the analysis. As
| I understand it, the analysis portion is where things can
| explode. Then, if in the hands of someone skilled in
| forensics, the extracted data would be saved in some
| other device, possibly to be shared with the other side.
| Then the risky, potentially explosive analysis would be
| done. It is very unlikely that all previous cases exist
| on that device and nowhere else.
|
| Therefore,
|
| > It calls all past and future cellbrite reports into
| question.
|
| is not true, as the extracted files are likely not on the
| collecting windows device.
|
| In any case, it is not clear how many uses of this device
| are in actual legal environments.
| zaphar wrote:
| Why would it have to be an unknown entity? I imagine in
| at least some court cases there could be potential
| antagonists to pin the blame on.
| novok wrote:
| You can claim that by having signal on your phone, it
| probably compromised the evidence gathering and you
| didn't know about it and you don't know how, so that
| evidence is not trustworthy. Kind of like police opening
| anti-tamper / anti-shoplifting seals which ruin the item
| they are trying to confiscate with a large amount of dye.
| [deleted]
| derivagral wrote:
| You'd claim that the tooling used and thus the evidence
| is unreliable. Not because of yourself or anybody
| targeting yourself, but due to other actors attacking
| Cellebrite and leaving you as collateral damage. You'd
| base this on testimony from other (court-authorized)
| experts, perhaps even the CEO of a major privacy app.
| Would be an interesting trial to follow in the US, not
| sure I'd want to be the defendant though.
| polar wrote:
| Cellebrite acquired BlackBag Technologies recently. BlackBag
| emerged from Apple's security team.
| gnud wrote:
| Fitting name.
|
| Black-bag the opposition politican, and then black-bag her
| phone.
| ASalazarMX wrote:
| All that trouble becaused a bag conveniently "fell from a
| truck". All in all I'm really happy for all this.
| jjoonathan wrote:
| I am happy to see the bag survived its most untimely truck
| tumble while remaining a e s t h e t i c a l l y - - - p l e
| a s i n g.
| batch12 wrote:
| I found that funny too. It sounds to me like a good way to
| end up with the device to analyze without being constrained
| by a contract or EULA prohibiting it.
| ampdepolymerase wrote:
| Indeed, how _convenient_. If it truly did fall off the truck
| right while he is on a walk then there is the possibility
| that is a rubber duckie attack. This is basically the
| equivalent of leaving a USB flash drive lying around. I hope
| the author took the necessary precautions when reverse
| engineering the device. Companies like cellebrite have deep
| connections to certain three letter communities that staging
| this sort of attacks trivial.
| djoldman wrote:
| I think we can be relatively confident that the connected
| machine was airgapped and perhaps run in a VM.
|
| Perhaps even in a faraday cage..
| boredpenguin wrote:
| > (...) and perhaps run in a VM.
|
| One of the screenshots[0] shows the VMware Tools Service
| running, so yeah, looks like a virtualized guest.
|
| [0]: https://signal.org/blog/images/cellebrite-dlls-
| loaded.png
| CPLX wrote:
| > If it truly did fall of the truck
|
| lol
| baby wrote:
| Seeing reactions like GP's I'm surprised at how many
| people don't know this expression.
| ASalazarMX wrote:
| I thought it was an euphemism because they couldn't
| reveal who gave it to them. Confessing it was stolen,
| even as an euphemism, is too blatant to be taken
| seriously IMO.
| f38zf5vdt wrote:
| If English is your second language, you may not have come
| across it. It's a very informal and infrequent idiom.
| baby wrote:
| FWIW we have the exact same expression in French "c'est
| tombe du camion"
| CloselyChunky wrote:
| Dito for German: "vom Laster gefallen"
| jacquesm wrote:
| "falling off a truck" is slang for "was stolen".
| thayne wrote:
| Given the sort of business Cellebrite is in, they would
| probably still want to treat anything connected to it
| with an overabundance of caution.
| ASalazarMX wrote:
| TIL:
| https://idioms.thefreedictionary.com/fall+off+a+truck
|
| Edit: looking up a bit more, it seems like this idiom is
| used to denote goods sold for cheap because they were
| stolen. Like "Bob is selling genuine iPhones very cheap,
| I fear they fell from the back of a truck".
|
| Edit edit: I initially took it as "we won't tell how we
| got this", because I didn't know this idiom, but it seems
| several people agree with this interpretation. Not
| necessarily stolen, but obtained from an undisclosed
| source.
| dkjaudyeqooe wrote:
| That isn't quite right. Although it's commonly used to
| describe something that's been stolen, it's more
| generally used to indicate that the speaker doesn't want
| to talk about where it came from. That's how it's been
| used in this article.
| spinny wrote:
| Yup. Those things have way to "fell from a truck". Another
| win for the "fell from a truck" gang ;)
| londons_explore wrote:
| Sadly I suspect the people in law enforcement who make
| purchasing decisions never read the Signal blog, and therefore
| all these points will be moot.
| tgsovlerkhgsel wrote:
| They don't have to read that.
|
| The defense lawyers have to read it, and the people in law
| enforcement need to read the cases where judges throw out
| Cellebrite evidence based on that.
| jjoonathan wrote:
| They won't be moot when defense lawyers bring them up.
| londons_explore wrote:
| Doesn't matter. When you can go through every message on
| someones phone back for years, I'm sure you can find
| something to put nearly anyone in prison for.
|
| No need to tell the court how you found out...
| crb002 wrote:
| It was brazen enough to pop an iTunes GUI a few years back.
| op00to wrote:
| > It attacks Cellebrite's ability to operate by casting doubt
| on the reports generated by the product that their customers
| may wish to use in court.
|
| Fortunately, parallel construction means you never really have
| to throw out bad evidence as long as you can find some good
| evidence too!
| maccam912 wrote:
| Knowing that at least one row of data in a database might
| have been modified randomly means you can't fully trust any
| one line in the database completely.
|
| It reminds me of the story of
| https://en.wikipedia.org/wiki/Annie_Dookhan
| colmmacc wrote:
| As a Signal user and moxie fan I love that post, but I worry
| that it places _Signal_ in legal peril from Apple.
|
| My fear, and prediction, is that the authorities will frame
| this as an even more egregious attack on law enforcement and
| that interfering with investigations is a crime (I'm not a
| lawyer, but I play one in hacker news comments, and that sounds
| like a crime). They'll lean on the app stores and the app
| stores will lean on or remove Signal.
| jjoonathan wrote:
| 1. Any app could do it.
|
| 2. Signal stirred FUD in a blog post. That's a _very
| different thing_ from actually doing it.
| jaywalk wrote:
| Well, if you read the whole blog post, it certainly _seems_
| like they 're actually doing it.
| jjoonathan wrote:
| Nah. The cost/benefit of saber rattling makes tons of
| sense while the cost/benefit of actually doing it makes
| much less sense. Probably.
|
| No amount of certainty about Marlinspike's actions should
| comfort Cellebrite, though, because Moxie Marlinspike
| isn't the only person allowed on the app store.
| akerl_ wrote:
| I'm not sure what you mean. The end of the post pretty
| clearly describes the framework they're using to roll out
| these exploits as latent files within the Signal app.
| rodgerd wrote:
| > It makes a thinly-veiled threat that any random Signal user's
| data may actively attempt to exploit their software in the
| future and demonstrates that it's trivial to do so.
|
| That does not make me feel good about Signal.
| rpdillon wrote:
| I've seen this reaction a few times. Can you say more?
| Presumably Signal users value privacy, and the implication is
| that when hacking tools used to violate that privacy are
| applied to a device running Signal, it may try to interfere
| and prevent the extraction to some degree. This seems like an
| ideal feature for a private messenger.
|
| In contrast, it would strike me as strange if a Signal user
| switched to another messenger that allowed the data
| extraction because they were uncomfortable with Signal
| blocking it.
| WrtCdEvrydy wrote:
| This is something I have personally looked at as an owner of a
| UFED touch device (1st gen). By default your software runs in a
| non-priviledged account but who's to say one of files isn't just
| straight up being read by FFMPEG and adding or removing evidence
| from the final report.
|
| The official Cellebrite policy has always been "don't worry, if
| you get stuck, we can send you an expert to testify to the
| reliability of the scientific evidence due to previous cases" but
| what happens when the pyramid of previous cases fall apart? Do
| you suddenly own a paperweight?
|
| I've also published papers (with NIST's help) on using consumer
| grade hardware for forensics and why testing your tools across a
| wide variety of scenarios is critical.
| hnrodey wrote:
| I have a new found perspective for the malware/spyware industry
| after watching The Dissident.
|
| I am SO IMPRESSED with this middle finger from the Signal team.
|
| https://www.imdb.com/title/tt11382384/
| joshgoldman wrote:
| I like how the CEO bashes other countries and deliberately
| doesn't mention USA as a customer of Cellebrite
| p4bl0 wrote:
| I hope Cellbrite users like the rhythm and lyrics of _Never gonna
| give you up_.
| tazeg95 wrote:
| "I was recently out for a walk when I saw a small package fall
| off a truck ahead of me."... I I laughed :)))
| cycomanic wrote:
| >By a truly unbelievable coincidence, I was recently out for a
| walk when I saw a small package fall off a truck ahead of me. As
| I got closer, the dull enterprise typeface slowly came into
| focus: Cellebrite.
|
| That's just hilarious! Nice way of saying we got our hands onto
| one of these boxes, but we don't want to reveal how. It fell of a
| truck.
| throwaway888abc wrote:
| By a truly unbelievable coincidence, I was recently out for a
| walk when I saw a small package fall off a truck ahead of me.
|
| Nailed it!
| tony101 wrote:
| A reminder that you can pair lock your iPhone to prevent analysis
| by Cellebrite or similar tools:
| https://arkadiyt.com/2019/10/07/pair-locking-your-iphone-wit...
| moduspol wrote:
| All of these are based on the assumption that the attacker has
| physical access to the _unlocked_ phone, right?
|
| I'm trying to understand the risk profile here.
|
| I guess I see the value for, e.g., a border crossing, where
| they can inconvenience you and ask you to unlock your phone,
| but instead of flicking through your messages briefly, they
| authorize a pairing and quickly backup your entire disk
| content. You expected a quick perusal by a human, but
| unknowingly gave them a lot more. If you've blocked pairing,
| they can't get nearly as much data as quickly.
|
| But if you're being investigated for committing a crime,
| everything we think we know about device unlocking is still
| true, right? They'd need me to unlock it before it'd trust a
| new device to pair to, and they'd need a court order to get me
| to unlock it for them. Five quick taps of the power button and
| biometric unlocks are off--now they need my passcode.
|
| Perhaps there's still value, even in that case, in that if I
| were compelled via court order to give my passcode, they still
| can't quickly / easily dump the disk contents from a device
| pairing. Although I imagine if you have the passcode there's
| probably many other ways of accomplishing the same result.
| carstenhag wrote:
| > unlocked phone
|
| Well, mostly yes, that's considering Cellebrite doesn't have
| 0-days or other exploits which can send a SMS to the device
| or similar things. Using Cellebrite's software you can also
| send silent SMS, so it's not far off either.
|
| A german Cellebrite ambassador showed me and colleagues the
| mentioned tools of the blog post and told us he participates
| at Law Enforcement raids. At 6 in the morning they raid the
| houses of the suspects, detain them and immediately ask for
| PINs and passwords. He said that surprisingly often it works
| and no further decryption tries have to be performed.
| matheusmoreira wrote:
| Are there similar features for Android devices? A database of
| Cellebrite-resistant phones, perhaps?
| Anechoic wrote:
| Do we (reasonably) know if this still works?
| atVelocet wrote:
| This still works as written. Just test it yourself with a Mac
| and Apple Configurator.
| Gaelan wrote:
| I mean, "the iPhone prevents well-behaved software from
| accessing data without a password" and "software, known to
| exploit vulnerabilities to get around security features,
| currently doesn't have any such exploits" are very
| different.
| ASalazarMX wrote:
| Every stone we can put in the way of surveillance helps.
| lights0123 wrote:
| There was a vulnerability in this technique that was fixed in
| iOS 11: https://labs.f-secure.com/advisories/apple-ios-host-
| pairing-.... If someone found another vulnerability and
| shared it with Cellebrite, then it doesn't work. If they
| haven't, then it still does.
| upofadown wrote:
| They literally said the unit fell off a truck. Funny...
|
| Correctly me if I am wrong, but did they really say they were
| going to be doing active attacks against Cellebrite units? Also
| funny... but they probably are not actually going to be doing
| that.
| kbenson wrote:
| They didn't actually say anything of the sort. They may have
| implied some stuff. Anything they did imply wouldn't be an
| active attack though, it would be a passive one, triggered only
| if Cellebrite tried to gather data from the Signal app on
| phones. Not gathering info from a phone, or not gathering
| Signal data from a phone, would both be ways Cellebrite could
| avoid this potential passive attack.
| ev1 wrote:
| I read nothing about an attack of any method or type at all.
|
| If Cellebrite decides to punch a spiky rock they could have
| just not done that in the first place.
| ASalazarMX wrote:
| The digital equivalent of "stop hitting yourself".
| Notwithstanding their crypto issue, this gives me renewed
| confidence in Signal's team.
| pavon wrote:
| To me it seems more like the equivalent of leaving booby
| trapped packages to be found by porch pirates. Or putting
| laxatives (or worse) in your sandwich to get back at the
| unknown coworker stealing your lunch. Both of which are
| considered illegal in the US.
|
| Assuming these files actually contain exploits. Maybe they
| do maybe they don't. You feeling lucky Cellebrite?
| crb002 wrote:
| https://www.iowajustice.com/ is _amazing_ at UFED defense.
| Klonoar wrote:
| If it's true that you can grab a Cellebrite hardware piece
| without too much difficulty (Ebay, etc - and note I'm not
| speaking from expertise so someone please fact check me), I'd
| find it hard to believe Apple wouldn't have done this kind of
| inspection themselves and/or noticed those DLLs being shipped.
|
| Curious if there'll be a response of sorts.
| polar wrote:
| I am reasonably confident that Apple is a Cellebrite customer.
| Their security team certainly has access to forensic tools from
| other vendors. That team also spawned BlackBag Technologies,
| which is now part of Cellebrite.
| saagarjha wrote:
| Apple uses Cellebrite devices in their stores to transfer
| data from devices, I believe.
| rubatuga wrote:
| Truly a jaw dropping blog post, as the top comment currently
| states, Apple may be legally required to at the very least,
| comment on this situation.
| idlewords wrote:
| This is pretty irksome. I get how satisfying it must feel, but
| the one thing I want as a Signal proponent is for the app to be
| _boring_ and reliable. That means make it easy to use enough to
| be mainstream, squash bugs, and do all the lovely security work
| you do.
|
| That does not mean adding stuff like untraceable cryptocurrency
| payments or very publicly tweaking the noses of law enforcement,
| and bragging about how you're putting exploits in your app to
| hack them.
|
| This isn't 1993 and the last thing we need is more pretexts to
| ban E2E encrypted apps in the countries where they're needed the
| most. I think this trades a moment's satisfaction for a very bad
| long-term outcome.
| g_sch wrote:
| The problem with being boring while attacking powerful
| institutions (like LEOs or nation states) is that it only works
| as long as you're small enough to stay below their radar. After
| a certain point, the material reality will sink in that you're
| a threat, and they're going to take action against you
| regardless of how you carry yourself. It's totally possible,
| given that we're starting to hear more and more accounts of
| powerful people using Signal, that we're approaching that
| tipping point, and a more gloves-off approach might be
| necessary.
|
| That being said, I agree with you 100% on the cryptocurrency
| payments issue and think that was a misstep on their part.
| jjoonathan wrote:
| Signal isn't going to actually do it, they know how that would
| end, they're just playing the FUD game in the other direction.
| Which I am 100% on board with.
| zie wrote:
| The client code is open source, so it should be pretty easy
| to tell if they actually do it.
| idlewords wrote:
| Maybe the one thing worse than boasting that you're putting
| malware in your product is boasting about it and not doing
| it.
| rOOb85 wrote:
| They are not putting malware into their app. They are
| adding athletically pleasing files to their app. Is it
| Signals fault if someone else's software doesn't work
| properly with them? How can Signal test every piece of
| software to make sure it's compatible with their own
| software? Especially when the other software is using
| Signal in a unintended way.
|
| It's not signals job to secure 3rd party software, that's
| entirely on the 3rd party.
| mannerheim wrote:
| Is it malware if users desire for their devices to be
| resistant to surveillance tools?
| spinny wrote:
| goodware ??
| matheusmoreira wrote:
| Malware? Any countermeasure against state surveillance is a
| good thing for us.
| [deleted]
| spoonjim wrote:
| Signal has a strong ideology. If you don't want to be a part of
| that then don't use the app.
| idlewords wrote:
| Secure messaging apps aren't very thick on the ground. I
| don't have to agree with Signal on every issue, I just want
| them to ease off the 4-Loko.
___________________________________________________________________
(page generated 2021-04-21 23:00 UTC)