Signal hacks Cellebrite – and reveals copyright infringement

Israeli Cellebrite is known as the company whose hardware and software help police and other authorities to hack mobile phones. It is not as infamous as the Israeli NSO Group, whose Pegasus malware has been used to spy on Al Jazeera journalists, among others, but the company’s products have been used in the United Arab Emirates, Russia and Venezuela, among other places.

Now the developers of the app encrypted messaging app Signal have come across one of Cellebrite’s hacker packages complete with hardware dongle, software and more.

Moxie Marlinspike, one of Signal’s founders, writes in a humorous blog posts about how the developers have researched the software and discovered that it itself is not the least bit safe but on the contrary very easy to hack. Among other things, it has a version of the ffmpeg library from 2012 that lacks over 100 security fixes.

It soon turned out that it is easy to sabotage Cellebrite’s program by placing a specially designed file anywhere on a phone. When the software extracts all the files from the phone and arrives at this file, arbitrary code is executed, which can, for example, delete all data on the computer or make changes that make loaded files unusable.

Moxie Marlinspike writes that Signal will start downloading small files from time to time that do nothing special except “look good”, which obviously means that the app will start to build in sabotage files for Cellebrite’s software.

But not enough. The developers have also discovered that Cellebrite includes dll files from iTunes, cryptographically signed by Apple, and point out that it is unlikely that the company has received a license from Apple to do so. This means that the program will most likely infringe on Apple’s copyright.