Search This Blog

Showing posts with label Cellebrite. Show all posts

New Vulnerabilities in Cellebrite's Tools Discovered by a Researcher

 

Signal, the messaging app that has recently become a new focus for Cellebrite's data-collection tools for law enforcement, raised the question late last month. 

Moxie Marlinspike, the creator of Signal, claimed that software flaws discovered in Cellebrite's tools could be used to tamper with facts. As a result, one lawyer has already requested a new trial. But Marlinspike isn't the only one who has scrutinized Cellebrite's gadgets. At the Black Hat Asia conference on Friday, Matt Bergin of KoreLogic will present his latest findings, which are related to Cellebrite's Universal Forensic Extraction Device, or UFED. KoreLogic's senior information security researcher, Bergin, claims to have discovered three vulnerabilities in UFED.

Despite the fact that Cellebrite has now fixed those problems, Bergin believes that forensics software should be placed through rigorous penetration testing to find bugs that might jeopardize proof. Bergin will also display up Lock Up, an Android app he created that can factory reset a phone if it detects Cellebrite software attempting to copy data. All of his research stems from a fear that Cellebrite's forensic instruments might be tampered with by bad actors, resulting in the false accusation of innocent people. 

"My whole goal for this project was to really highlight the fact that forensics tools are not immune to software vulnerabilities. And those issues, when exploited, do have real-life implications for people. That could be the rest of your life in jail," Bergin stated. 

Bergin obtained an inside look at how the UFED starts probing devices by cracking its cryptography. He was also able to write detection signatures for how UFED communicates with a target system as a result of this experience. He then developed Lock Up, an Android application. Bergin states he will not release Lock Up because he does not want to obstruct legal law enforcement investigations. 

However, he plans to make the source code accessible, as well as the indicators of compromise, which are checksums and hashes of files that Cellebrite's UFED installs on devices before collecting data.

Cellebrite also fixed CVE-2020-12798, a privilege escalation flaw, as well as CVE-2020-14474, an issue in which Cellebrite left hard-coded keys for encrypted data right next to the encrypted data. Given the value of digital evidence's credibility, Bergin believes the software should be expanded to include penetration tests. "We need functional testing, and we need security testing," he states "It should be part of the CFTT process before any evidence collected by these tools can be used in a court of law." 

There are also questions about supply chain tampering. Bergin and Marlinspike's results, according to Hank Leininger, co-founder of KoreLogic, have raised doubts about the factuality of data. Self-integrity checks could provide some assurance that software hasn't been manipulated, he added.

Another way Cellebrite might strengthen its procedures is to issue influential public notices detailing newly found and patched vulnerabilities. "Airing your own dirty laundry after you've washed it is a good way to create trust in your security commitment," says Leininger.