The payload uses the MessageBox Windows API to display a benign message, but Marlinspike said that “it’s possible to execute any code, and a real exploit payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports (perhaps at random!), or exfiltrate data from the Cellebrite machine.” Marlinspike included a video that shows UFED as it parses a file he formatted to execute arbitrary code on the Windows device. None of those fixes are included in the FFmpeg software bundled into the Cellebrite products. Marlinspike said that in the intervening nine years, FFmpeg has received more than 100 security updates. The software was built in 2012 and hasn’t been updated since. One example of this lack of hardening was the inclusion of Windows DLL files for audio/video conversion software known as FFmpeg. “Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.” Compromising integrity “Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” Marlinspike wrote. Typically, software that is this promiscuous undergoes all kinds of security hardening to detect and fix any memory-corruption or parsing vulnerabilities that might allow hackers to execute malicious code. To do their job, both pieces of Cellebrite software must parse all kinds of untrusted data stored on the device being analyzed. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.Ĭellebrite provides two software packages: The UFED breaks through locks and encryption protections to collect deleted or hidden data, and a separate Physical Analyzer uncovers digital evidence (“trace events”). “There are virtually no limits on the code that can be executed,” Marlinspike wrote.įor example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device. On Wednesday, Marlinspike published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze devices. Now, Moxie Marlinspike-creator of the Signal messaging app-has turned the tables on Cellebrite. For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |