Moxie Marlinspike says that Cellebrite hacking tool lacks basic hacking protection
Who watches the watchmen?
Signal chat service chief Moxie Marlinspike claims to have hacked a device owned by the Israeli company Cellebrite. He did this via vulnerabilities in the software, he writes in a blog post on Wednesday. Cellebrite supplies, among other things, equipment to the American FBI and governments, with which they can gain access to, for example, locked iPhones.
Cellebrite’s equipment can crack phones to give authorities access to data that otherwise cannot be seen. Think of encrypted messages, such as from the secure chat service Signal.
It’s not clear how Marlinspike got the equipment. The Signal CEO says he “accidentally found the device when it fell out of a van”. According to Marlinspike, the machine is equipped with the latest Cellebrite software.
When Marlinspike examined the device, he discovered several vulnerabilities in the software. Someone who wants to sabotage the device could use it to break in and view files.
“We are surprised that very little care has apparently been put into Cellebrite’s software security,” he writes. “Standard protection measures are lacking and there are many opportunities to exploit vulnerabilities.”
Marlinspike says he wants to share the vulnerabilities in the software with Cellebrite in exchange for transparency about which weaknesses in smartphones are exploited through the Cellebrite equipment.
Marlinspike’s claims are hard to confirm. Cellebrite responded to Gizmodo’s commitment to protecting customer data and providing regular updates to the software.