Security News > 2021 > April > Signal CEO gives mobile-hacking firm a taste of being hacked
Software developed by data extraction company Cellebrite contains vulnerabilities that allow arbitrary code execution on the device, claims Moxie Marlinspike, the creator of the encrypted messaging app Signal.
The researcher found that Cellebrite's software had outdated open-source code that had not been updated in almost a decade, despite security updates being available.
Exploring possibilities for exploitation, Marlinspike found that he could run arbitrary code on a Cellebrite machine when it parsed a specially formatted, yet non-offensive file on a device it scanned.
By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it's possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way, with no detectable timestamp changes or checksum failures" - Moxie Marlinspike.
The researcher provides proof of successful exploitation of UFED, Cellebrite's product for collecting evidence from sources ranging from mobile devices and apps to public-domain social media services.
These files, add nothing to Signal's functionality and will not interact with the app, "But they look nice, and aesthetics are important in software." If these are formatted in a special way, Cellebrite's customers will likely have a hard time demonstrating the integrity of the scan reports from devices where Signal is installed.