Security News > 2021 > April > Signal Says Cellebrite Mobile Device Analysis Products Can Be Hacked
Cellebrite's forensic applications do not include the type of security protections one would expect from a parsing software, which renders them susceptible to attacks, according to privacy-focused messaging service Signal.
Cellebrite claims to have thousands of customers in over 140 countries.
Signal was able to execute code on a Cellebrite machine by including "a specially formatted but otherwise innocuous file" in an application running on a device that is subsequently plugged into and scanned by Cellebrite.
One of the possible outcomes of such an attack would be to modify Cellebrite reports in unexpected manners.
"Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices," Marlinspike says.
To reduce the risk, Cellebrite could update the software to not scan applications considered high risk, but even that won't guarantee the integrity of reports.