Signal Programmers reverse-engineer Cellebrite tools. Find serious security flaws.

[Splork]

Summary

 

 About a year after "security" vendor Cellebrite claimed to be able to extract the Signal messenger's data, the Signal developers have hit back. After reverse-engineering "the latest versions of the Cellebrite software", Signal founder Moxie Marlinspike announced in a blog post that the software has grave security flaws which would allow an attacker to reverse-exploit a PC running the infamous forensics software.

 

Quote

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way [...]

Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.

 

Marlinspike finished the blog post with a thinly-veiled threat to any organisation which uses  Cellebrite's software:

 

Quote

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.

 

My thoughts

On the one hand, this is just another instance of a supposed "security" company with terrible security (like shipping ffmpeg DLLs from 2012). On the other hand, since Cellebrite has been somewhat controversial due to the cooperation with - dubious - institutions, I can certainly understand the glee with which many people are reporting on this. In any case, I was expecting something like this to happen ever since Cellebrite announced that it had "broken" Signal's security.
Also, the blog post itself is quite funny to read with its tongue-in-cheek style (like the claim that the kit had "just fallen off a truck").

 

Sources

https://signal.org/blog/cellebrite-vulnerabilities/

https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/

[Rauten]

Honestly, the "threat" sounds incredibly petty. 

I understand where he's coming from, and how satisfying it must be for him, but as a CEO, he should maybe try to be a bit more professional?

From the point of view of a humble device owner, I also don't find the idea of having my phone turned into a digital battleground between companies particularly appealing; you want to duke it out? Sure, fine, but please leave my phone out of it?

[Taf the Ghost]

15 minutes ago, Rauten said:

Honestly, the "threat" sounds incredibly petty. 

I understand where he's coming from, and how satisfying it must be for him, but as a CEO, he should maybe try to be a bit more professional?

From the point of view of a humble device owner, I also don't find the idea of having my phone turned into a digital battleground between companies particularly appealing; you want to duke it out? Sure, fine, but please leave my phone out of it?

When you're in security like Signal is, you need to use humor like this. Though the fact Signal is basically going to ship remote kill code for the Cellebrite hardware is kind of hilarious. And that's really how you should read what they're saying. But that file improves the physical security of the Signal files on a device, which is actually the point of them.

[Master Disaster]

54 minutes ago, Rauten said:

Honestly, the "threat" sounds incredibly petty. 

I understand where he's coming from, and how satisfying it must be for him, but as a CEO, he should maybe try to be a bit more professional?

Gotta agree, seems like he diverted a fairly significant chunk of resources away from his normal business in pursuit of revenge.

 

Also gotta love how the security focused CEO is threatening to actively exploit a zero day he discovered without creating a CVE or doing any form of ethical disclosure.

[Fasterthannothing]

A yes because the companies the Cellebrite caters to wouldn't be more than happy to make sure their code is not exploitable so they can continue exploiting security. Meaning government agencies who would like to make sure Cellebrite keeps working will be sure to keep their golden goose safe from any attacks so to speak. 

[Zodiark1593]

2 hours ago, Master Disaster said:

Gotta agree, seems like he diverted a fairly significant chunk of resources away from his normal business in pursuit of revenge.

 

Also gotta love how the security focused CEO is threatening to actively exploit a zero day he discovered without creating a CVE or doing any form of ethical disclosure.

Well, no one is legally obligated to disclose CVEs. I doubt Cellebrite is doing so. 

[Fasterthannothing]

18 minutes ago, huilun02 said:

Should have remained silent and just stealth nuke Cellebrite. Signal is not raising investor or user confidence by making this public. Its only putting itself on the radar for retaliation.

Exactly and their are too many bad actors all too eager to work with Cellebrite to take down signal and expose their users. They should be diverting that time into fixing the ability for Cellebrite to do anything in the first place.

[asquirrel]

I think it's hilarious personally. I would love nothing more than to walk around knowing the day an asshole cop decides to clone my phone their cloning software gets bricked. I think that's amazing! Now, to be clear, I haven't had to talk to a cop in...10 years? I 'would' be in that category of 'If you have nothing to hide you have nothing to fear' category, but the fact is cops murder people for funzies. So...yeah, I have plenty to fear. And my uncle was one of those cops who gave bad cops (not good ones) a bad name. He retired with a full pension, despite hundreds of IA reports. I met his friends at the station house. I have a pretty good idea how far down this cancer runs. And, yes, I've met good cops too, problem is, they'd only been on the force for 4 months at that point. 3 years later? Just as cancerous as everyone else.

 

Anyway, I'm all for what Signal is doing. Painting a target on their back? As if one didn't already exist?! And a target isn't really the right metaphor. Being on fire is more like the right metaphor. Signal is already burning. If you're already on fire, pouring a can of gasoline on your head is unlikely to make things worse.

[piemadd]

I posted this in a status update but I feel like it would be funny to post here:

Cellebrite: hey signal! we hacked your shit!

Signal: lmfao hold my beer
Signal: *hacks cellebrite's software to not only fix their own vulnerabilities but figures out how apps can modify cellebrite reports generated about them*

[Taf the Ghost]

3 hours ago, huilun02 said:

Should have remained silent and just stealth nuke Cellebrite. Signal is not raising investor or user confidence by making this public. Its only putting itself on the radar for retaliation.

I would disagree. I could see an argument for a different approach to the post, but Signal was investigating a claim that of hacks on their service that wasn't being disclosed to them. They acquired the tools used to supposedly compromise their service, investigated them and are rolling out patches. No one but us techies in the sphere actually cares about any of this.

[AnonymousGuy]

Pwn3d

[Zodiark1593]

11 hours ago, huilun02 said:

Should have remained silent and just stealth nuke Cellebrite. Signal is not raising investor or user confidence by making this public. Its only putting itself on the radar for retaliation.

Psychological warfare perhaps? It’s quite likely the devs at Cellebrite are expending significant resources to uncover the flaws Signal may refer to, whether they exist or not. Given that they have actual governments for clients, calling a potential bluff is exceedingly risky for Cellebrite. Many governments and law enforcement agencies are not especially tech versed, and are likely to put pressure upon Cellebrite to fix exposed exploits. 
 

Though only a possibility, merely declaring a flaw could be enough to inflict financial harm to Cellebrite without actually having an exploit in hand. 

[Beskamir]

Definitely glad to see Cellebrite getting wrecked.

[LAwLz]

On 4/22/2021 at 11:12 AM, Rauten said:

Honestly, the "threat" sounds incredibly petty. 

I understand where he's coming from, and how satisfying it must be for him, but as a CEO, he should maybe try to be a bit more professional?

From the point of view of a humble device owner, I also don't find the idea of having my phone turned into a digital battleground between companies particularly appealing; you want to duke it out? Sure, fine, but please leave my phone out of it?

I think you're misinterpreting what is happening here.

Cellebrite are the ones waging war. Signal are protecting you.

 

Imagine if the manufacturer of your door lock said "hey, we've noticed that thieves have a tool that can break the lock you're using. We are going to replace your lock with one that is not only protecting you from this thief-tool, but if some thief is trying to break in their tool will get destroyed".

 

Your reaction shouldn't be "leave my door out of this!" and blame the lock manufacturer. You should be thankful that the lock manufacturer are looking out for you and trying to prevent unauthorized access.

 

 

  

On 4/22/2021 at 12:11 PM, Master Disaster said:

Gotta agree, seems like he diverted a fairly significant chunk of resources away from his normal business in pursuit of revenge.

 

Also gotta love how the security focused CEO is threatening to actively exploit a zero day he discovered without creating a CVE or doing any form of ethical disclosure.

Security research is not "pursuit of revenge". Remember, Cellebrite are attacking Signal, and this is Signal's response.

It's also not the defending side in cyber security that should explain how the weapons used against them are flawed.

Do you think Microsoft contacted the people who developed the Exchange exploit and went "hey guys, we have found out how to harden our servers against your exploits. This is how we are doing it"?

 

 

  

21 hours ago, huilun02 said:

Should have remained silent and just stealth nuke Cellebrite. Signal is not raising investor or user confidence by making this public. Its only putting itself on the radar for retaliation.

I don't think Signal's intentions are to attack Cellebrite. The threat that Moxie write at the end might not even be real and it will still have the intended effect, which is to cast doubt on information obtained by Cellebrite tools.

 

If the legal system starts knowing about flaws in Cellebrite products then it is possible that it might not be seen as strong evidence anymore. Signal hopefully doesn't even have to do anything with this information on a technical level. Doing this research and publishing the blog post might be enough to deter the legal organ in some countries to doubt information obtained from Cellebrite products.

[Vangeli]

The Cellebrite fell off of a truck and they found it like that, heh heh heh...

[Master Disaster]

10 hours ago, LAwLz said:

Security research is not "pursuit of revenge". Remember, Cellebrite are attacking Signal, and this is Signal's response.

Fine but lets not pretend he, or his business, are security researchers because they're not. They develop a messenger application that just happens to have a focus on good security.

 

When somebody who normally does one thing spends time, money & resources on something they wouldn't normally do to get back at someone they feel did them wrong then it is motivated by revenge.

10 hours ago, LAwLz said:

It's also not the defending side in cyber security that should explain how the weapons used against them are flawed.

Do you think Microsoft contacted the people who developed the Exchange exploit and went "hey guys, we have found out how to harden our servers against your exploits. This is how we are doing it"?

What? This doesn't even make sense against the context of what I posted.

 

He claims to have discovered an exploit that can be used to cause damage to another piece of software and then goes on to threaten said company that he is going to use his exploit to hurt them?

 

You can call it whatever you want, I'm calling it a dick move by a butthurt child who is seeking revenge.

 

Didn't your teachers ever teach you that 2 wrongs don't make a right?

[Adryzz]

11 hours ago, Master Disaster said:

They develop a messenger application that just happens to have a focus on good security.

 

I mean... if you have a messenger app focused on good security, the least you can have are security researchers in your team imo...

 

 

11 hours ago, Master Disaster said:

He claims to have discovered an exploit that can be used to cause damage to another piece of software and then goes on to threaten said company that he is going to use his exploit to hurt them?

Yeah what he should do is report the vulnerabilities and act like nothing happened.

What they would have done if they really were security researchers (and not making a messenger app) would have been to reverse engineer it all, report all the vulnerabilities to the respective devs and get this company out of business for a good while until they find other vulnerabilities. (kinda like what happened with Hacking Team's leaked source code.)

[Beerzerker]

23 hours ago, LAwLz said:

I think you're misinterpreting what is happening here.

Cellebrite are the ones waging war. Signal are protecting you.

 

Imagine if the manufacturer of your door lock said "hey, we've noticed that thieves have a tool that can break the lock you're using. We are going to replace your lock with one that is not only protecting you from this thief-tool, but if some thief is trying to break in their tool will get destroyed".

 

Your reaction shouldn't be "leave my door out of this!" and blame the lock manufacturer. You should be thankful that the lock manufacturer are looking out for you and trying to prevent unauthorized access.

 

 

  

Security research is not "pursuit of revenge". Remember, Cellebrite are attacking Signal, and this is Signal's response.

It's also not the defending side in cyber security that should explain how the weapons used against them are flawed.

Do you think Microsoft contacted the people who developed the Exchange exploit and went "hey guys, we have found out how to harden our servers against your exploits. This is how we are doing it"?

 

 

  

I don't think Signal's intentions are to attack Cellebrite. The threat that Moxie write at the end might not even be real and it will still have the intended effect, which is to cast doubt on information obtained by Cellebrite tools.

 

If the legal system starts knowing about flaws in Cellebrite products then it is possible that it might not be seen as strong evidence anymore. Signal hopefully doesn't even have to do anything with this information on a technical level. Doing this research and publishing the blog post might be enough to deter the legal organ in some countries to doubt information obtained from Cellebrite products.

I have to disagree on the part I've bolded, I mean it could be that way now but there is also the possibility of this little "War" escalating and one's device(s) becoming collateral damage over it. 
Not that you've done anything wrong yourself, if your device(s) become the battleground this is waged upon it could mirror what really happens in war when a neutral country gets caught in the middle and becomes the place they fight.

As for the reasons why, it's clear to me someone fired a volley and it's now being returned in kind. Thing is if the original perpretrator was willing to fire the first shot when the other had done nothing towards them, this would give them a real reason to pursue it with vigor - I hate to say it but fights like this between companies and corporations CAN get just butt-ugly, I've seen and been through it before to know this as fact.

Sad part is the actual damage during all this could well be done by yet another party just looking to embarrass the both of them but it's your stuff that's weaponized and used to make it that way - Not that hackers would really care about all that mind you.

These two have/are already declaring publicly what the exploits found are against the other, don't think for a sec someone else isn't paying attention - This thread in itself is proof of that.

[Zodiark1593]

18 hours ago, Master Disaster said:

 

 

You can call it whatever you want, I'm calling it a dick move by a butthurt child who is seeking revenge.

 

Didn't your teachers ever teach you that 2 wrongs don't make a right?

As a spectator, I call it a good show. As a privately owned company, Signal is free to do what it wants within the law. There’s no legal standard or obligation of reporting vulnerabilities. Right or not is entirely irrelevant as the shots are already fired. All that’s left to do is enjoy the show. 

[Master Disaster]

3 hours ago, Zodiark1593 said:

As a spectator, I call it a good show. As a privately owned company, Signal is free to do what it wants within the law. There’s no legal standard or obligation of reporting vulnerabilities. Right or not is entirely irrelevant as the shots are already fired. All that’s left to do is enjoy the show. 

Fair and I don't disagree. I was just pointing out the hypocrisy of a CEO who claims that security is so important to behave in this way.

[LAwLz]

On 4/24/2021 at 10:24 PM, Master Disaster said:

Fair and I don't disagree. I was just pointing out the hypocrisy of a CEO who claims that security is so important to behave in this way.

I don't understand what is hypocritical about what he did. 

[Master Disaster]

1 hour ago, LAwLz said:

I don't understand what is hypocritical about what he did. 

There's an ethical way and unethical way of handling zero days, someone who keeps telling us how important security is and runs a company with a strong focus on security as part of their business model decides to go down the unethical way.

 

Perhaps hypocrite isn't the exact right term but its close enough.

[LAwLz]

1 hour ago, Master Disaster said:

There's an ethical way and unethical way of handling zero days, someone who keeps telling us how important security is and runs a company with a strong focus on security as part of their business model decides to go down the unethical way.

 

Perhaps hypocrite isn't the exact right term but its close enough.

I wouldn't say this is a traditional security issue that warrants a disclosure since it's an attack tool that is vulnerable.

 

Again, asking for a disclosure here is like asking Microsoft to disclose how they protect against the recent Exchange exploits.

When you are being attacked by someone, you typically do not disclose how you defend yourself. Signal is a defense product, and now it MIGHT have the capability to disarm attack products that targets it.

 

 

I think you have misunderstood why security vulnerability disclosures happen.

If someone discovers a vulnerability in let's say Windows, Windows customers are at risk (which is a large group of people). That's why the person who found the issue should contact Microsoft in secret, and then let them fix it before it gets announced. The timed disclosures (for example "we will announce this issue to the public in 2 months") are there to prevent companies from just ignoring the issues as well.

Disclosures are there to increase security.

 

In this case, we have a security product (Signal) being attacked by Cellebrite (an attacker).

It is very important to remember that Signal is the equivalence of Windows from our previous example. It's the product used by a large amount of people, and that is being attacked. Cellebrite has not discloused anything about how their attacks happen (which would be the CVE or other type of disclosure).

As a response to being attacked, Signal tries to neutralize Cellebrite's weapons and at the same time discourage Cellebrite from using their tools against Signal.

Since there isn't really a vulnerability in Signal that can just be patched, their counter measurement can only be a counterattack.

 

Vulnerability disclosures happen to protect people. In this case, doing a vulnerability disclosure would go against that since the protection is the threat of a counter attack.

Vulnerability disclosures doesn't exist because "well you just should disclosure it for no reason". They exist solely in order to increase the security for people. When disclosing a vulnerability reduces the security for pretty much everyone, then you shouldn't do it.

Even if security vulnerability disclosures were some rule or law, Moxie would go against the spirit of the law by disclosing these vulnerabilities.

Following a rule that goes directly against it intention is not a great idea.

 

Moxie is concerned with keeping Signal secure. It's not hypocrisy to make sure your own product is secure at the expense of people actively trying to attack you.