Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers
-
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective
Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russi...
Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.
(...)
By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
(...)
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
(...)
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.
-
@Gąska said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
This and the stuff below about them only actually doing it in a small number of cases makes it sounds like they're going for a legal technicality that shows the data is unreliable as evidence. But the stuff at the beginning
Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.
doesn't sound like Cellebrite’s customers are ones that give much of a shit about these particulars of rule of law.
-
@topspin said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@Gąska said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
This and the stuff below about them only actually doing it in a small number of cases makes it sounds like they're going for a legal technicality that shows the data is unreliable as evidence. But the stuff at the beginning
Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.
doesn't sound like Cellebrite’s customers are ones that give much of a shit about these particulars of rule of law.
My guess? They're only going to send the anti-Cellebrite viruses to Western phones. If the Belarusian, Russian, etc. gestapo get a virus from your phone, they'll probably kill you.
-
@GuyWhoKilledBear said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@topspin said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@Gąska said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
This and the stuff below about them only actually doing it in a small number of cases makes it sounds like they're going for a legal technicality that shows the data is unreliable as evidence. But the stuff at the beginning
Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.
doesn't sound like Cellebrite’s customers are ones that give much of a shit about these particulars of rule of law.
My guess? They're only going to send the anti-Cellebrite viruses to Western phones. If the Belarusian, Russian, etc. gestapo get a virus from your phone, they'll probably kill you.
It's not a virus, it doesn't spread to the new device and on from there. It simply fucks around with data in an "untraceable" way. So all it might be doing is hide all information that is sitting in signal.
-
@Carnage said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@GuyWhoKilledBear said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@topspin said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@Gąska said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
This and the stuff below about them only actually doing it in a small number of cases makes it sounds like they're going for a legal technicality that shows the data is unreliable as evidence. But the stuff at the beginning
Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.
doesn't sound like Cellebrite’s customers are ones that give much of a shit about these particulars of rule of law.
My guess? They're only going to send the anti-Cellebrite viruses to Western phones. If the Belarusian, Russian, etc. gestapo get a virus from your phone, they'll probably kill you.
It's not a virus, it doesn't spread to the new device and on from there. It simply fucks around with data in an "untraceable" way. So all it might be doing is hide all information that is sitting in signal.
We don't know exactly what it does. They mentioned that they could make the Celebrite workstation "phone home" to a server that they control so they could track where Celebrite is being used. Perhaps not the best thing to do in situations where The Regime will kill you.
-
@GuyWhoKilledBear said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@Carnage said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@GuyWhoKilledBear said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@topspin said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
@Gąska said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
This and the stuff below about them only actually doing it in a small number of cases makes it sounds like they're going for a legal technicality that shows the data is unreliable as evidence. But the stuff at the beginning
Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.
doesn't sound like Cellebrite’s customers are ones that give much of a shit about these particulars of rule of law.
My guess? They're only going to send the anti-Cellebrite viruses to Western phones. If the Belarusian, Russian, etc. gestapo get a virus from your phone, they'll probably kill you.
It's not a virus, it doesn't spread to the new device and on from there. It simply fucks around with data in an "untraceable" way. So all it might be doing is hide all information that is sitting in signal.
We don't know exactly what it does. They mentioned that they could make the Celebrite workstation "phone home" to a server that they control so they could track where Celebrite is being used. Perhaps not the best thing to do in situations where The Regime will kill you.
I'd guess that there is some serious derp in cellebrite, probably SQL-I or CMD calls with raw data from files or something similar, which all give you the ability to do whatever the program is allowed to do.
Phoning home is probably a bad idea, but it'd be fairly simple to do it at a later time, and also add rootkit payloads and all manner of fun stuff.
-
@Carnage said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
I'd guess that there is some serious derp in cellebrite, probably SQL-I or CMD calls with raw data from files or something similar, which all give you the ability to do whatever the program is allowed to do.
The article touches on that. To spy on all kinds of data, their software needs to handle all kinds of formats, so probably contains a large assortment of random shit, including every single parsing bug in existence:
As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied.
-
@GuyWhoKilledBear said in Signal the Privacy Protectors vs Cellebrite the Privacy Destroyers:
We don't know exactly what it does. They mentioned that they could make the Celebrite workstation "phone home" to a server that they control so they could track where Celebrite is being used. Perhaps not the best thing to do in situations where The Regime will kill you.
More likely in addition to hiding Signal's logs from the report they'll set a flag in an "aesthetically pleasing" file that make it "aesthetically horrifying" and the next time said file is collected via normal Signal traffic Signal will know who did what when to whom. After all, "aesthetically horrifying" is not "aesthetically pleasing" so it's important for them to know.
