Israeli digital forensics firm Cellebrite has been known to assist law enforcement in unlocking and extracting crucial mobile phone evidence from all iOS and high-end Android devices. But in a twist, Moxie Marlinspike — the creator of the encrypted messaging app Signal — turned the tables by uncovering vulnerabilities in Cellebrite software that made it possible to execute malicious code on the Windows computer used to analyze devices.
Cellebrite offers something called universal forensic extraction devices aka UFEDs to get past lockscreen and encryption protections to gather critical data, while another software known as Physical Analyzer aims to "uncover key pieces of digital evidence, trace events, and examine digital data."
"Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security," Marlinspike said. "Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present."
On top of everything, Marlinspike also claimed he found evidence of Cellebrite violating an Apple's copyright by including two installer packages digitally signed by Apple, and likely extracted from the Windows installer for iTunes version 12.9.0.167. "This might present a legal risk for Cellebrite and its users," he added.
"Cellebrite is committed to protecting the integrity of our customers' data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available," the company said in response to the findings.
Besides the fact that this expose came weeks after Cellebrite claimed to have "cracked" Signal and could extract encrypted messages from an unlocked Android device (which anyone can!), the development highlights the "buggy nature of the cops' hacking technology."
Marlinspike declined to say how he came into possession of the tools in question, but said he obtained the gear by a "truly unbelievable coincidence" as he was out for a walk and "saw a small package fall off a truck ahead of me." An unbelievable coincidence indeed!
What’s trending in security
🛡️ Dan Kaminsky, security researcher widely known for his work on discovering crucial DNS security flaws and Sony Rootkit infections, passed away at 42. The cause of his death is not publicly known. Here's revisiting the WIRED story from 2008 that details the DNS vulnerability. [WIRED]
💣 Seth Aaron Pendley, 28, was arrested after an alleged plot to bomb an Amazon data centre, which he believed would "kill off about 70% of the internet. [BBC]
🇷🇺 The U.S. government sanctioned Russia for SolarWinds hack, formally pinning the espionage campaign on Russia's foreign intelligence service, SVR. Also caught in the net is a high-profile cybersecurity firm named Positive Technologies. NPR's Dina Temple-Raston has the full story of how the SolarWinds attack happened. [The Hacker News / NPR]
🇵🇸 Facebook disrupted malicious activities perpetrated by two state-sponsored hacking groups operating out of Palestine that abused its platform to distribute malware. [The Hacker News]
🇺🇸 The FBI stepped in to remove backdoors dropped by China-backed hacking group Hafnium on vulnerable Microsoft Exchange Servers. Will this set a precedent? [ZDNet]
⚠️ Researchers discovered a flaw where any user can deactivate another user's WhatsApp via multiple 2FA requests and emailing support to deactivate account. [Forbes]
🚩 More WhatsApp news. A new research published by Traced has found that cyberstalkers can abuse users' status on WhatsApp to figure out if a user is online. "There are even several apps and websites that allow anyone to simply enter a number and see whether the number's owner is online on WhatsApp. Some sites even let people enter two numbers and see when their online status overlaps," reported Vice. [Traced / Vice]
💬 A previously disclosed wormable Android malware capable spreading via WhatsApp messages has been now updated to auto-reply to received messages on Signal, Skype, Viber, and Telegram. The replies link to a malicious website to further propagate the malware. [ESET]
🔓 The FBI partnered with an Australian security firm called Azimuth Security to gain access to an iPhone 5c linked to the 2015 San Bernardino shooting, a new report from The Washington Post reveals. [The Washington Post]
🚨 A malware called "HabitsRAT" has been found targeting Linux machines to plant backdoor capable of executing arbitrary code on the infected system. [Intezer]
🇬🇧 An update to England and Wales's official COVID-19 contact tracing app was blocked after it added a feature that prompted users to upload logs of their venue check-ins, violating Apple and Google's privacy-centric contact-tracing tech that forbids any sort of location data collection. [BBC]
🇨🇳 At least two threat actors, one of them possibly linked to China, have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks. [The Hacker News]
🇮🇪 The giant Facebook data leak that's said to have happened in 2019 but only came to light recently is attracting scrutiny. First, the incident is now under investigation by Irish Data Protection Commission. Second, an Ireland-based digital rights group said it's commencing a "mass action" to sue the company over 2019 breach, citing the right to monetary compensation as stipulated in the European Union's General Data Protection Regulation (GDPR).
Then earlier this week, a researcher demonstrated a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day, even when users choose settings to keep them from being public.
What's more, as yet another cache of Facebook phone numbers sprang up in the form of a Telegram bot, Facebook appears to paint mass scraping as a "normalized, broad industry issue" after it faced criticism for downplaying the severity of the leak. "Longer term, though, we expect more scraping incidents and think it's important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly." [TechCrunch / Vice]
❌ The Linux kernel project maintainers imposed a ban on the University of Minnesota from contributing to the open-source Linux project after researchers were caught submitting a series of malicious code commits in an attempt to deliberately introduce security flaws in the codebase as part of research. The University said it's investigating "the research method & the process by which this research method was approved, determine appropriate remedial action, & safeguard against future issues, if needed." [Bleeping Computer]
📶 An AirDrop user's phone number and email address can be learned via nearby Wi-Fi-capable devices when they open an iOS or macOS sharing pane, according to new research. [TU Darmstadt]
🗃 The past fortnight in data breaches, leaks, and ransomware: Codecov, Geico, Mobikwik, ParkMobile, Passwordstate, Phone House España, Quanta, and Upstox.
$75 million
That's the total amount of Bitcoin ransom payments the group behind Maze and Egregor ransomware — named "Twisted Spider" — are believed to have earned to date. "We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom," security firm Analyst1 said in a new report.
And that's it. Stay safe!
-Ravie