“There are virtually no limits on the code that can be executed,” Marlinspike wrote.įor example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device. On Wednesday, Marlinspike published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze devices. Now, Moxie Marlinspike-creator of the Signal messaging app-has turned the tables on Cellebrite.
For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers.
