Cellebrite and Signal are thus on opposite sides of the ideological front. Cellebrite's solution is used by law enforcement agencies around the world to gain access to data that a user would like to keep secret, including Signal correspondence. The goal of Signal is to make sure that chat correspondence is not available to anyone except subscribers. The most vulnerable link in this communication is the user's smartphone: if you get access to the unlocked device, you can see all the correspondence. The Signal creator got access to the Cellebrite device by unknown means and found vulnerabilities in its software.
How he managed to get the device, Moxie does not explain, more precisely, explains vaguely: he was walking down the street, and here on you, there is a complete set for analyzing mobile phones on the asphalt. Naturally, manufacturers of such pieces provide access to their equipment only to trusted organizations, and Signal is not among them. The researcher analyzed software, which, based on the problem, includes many data parsers from different applications. Such handlers are in all cases a breeding ground for vulnerabilities, and the set of ffmpeg codecs is given as an example. These libraries are used by Cellebrite UFED's multimedia parsing software, and Moxie discovered an outdated 2012 release. Since then, over a hundred security patches have been released for ffmpeg.
As a result, without much difficulty, Moxie found a vulnerability that leads to the following: if the Cellebrite complex reads a "prepared" file on the phone, it becomes possible to replace the data in the generated report. And even change previous reports or guarantee changes to future reports. This is a thick hint that Moxie was able to gain full control of the software through a vulnerability in the data parser. At the end of the publication, Marlinspike reports that the latest update of the Signal messenger will contain an additional file that has absolutely no effect on functionality. The file is not interesting at all, it is recommended not to pay attention to it. That is, it is possible (although this is not directly mentioned), the analysis of a phone with the installed Signal messenger can spoil the data generated by the complex for collecting evidence.
And this is, of course, a very strange story. First, it is customary to report vulnerabilities to the manufacturer so that they can be repaired. Using them to your advantage is the lot of the dark side. And the fact that you personally don't like software with a vulnerability for some reason is not an argument for such actions. Secondly, what happens - an exploit will be distributed with a legitimate messenger? Let's assume that the Signal creator was joking. Or not? In any case, this is an interesting example of moral pressure on an ideological adversary, albeit completely outside the boundaries of normal hacker ethics. In general, he tells us that it is worth thinking about the security of even those tools that are used far beyond the lines of protection of the corporate network. It is they who, under certain circumstances, may turn out to be the weakest link.
What else happened
Investigation of vulnerabilities in security systems with a sad result: problems discovered by Eye Security make it possible to disarm a room remotely. More than ten thousand installations (mainly in Germany) have been affected, only a thousand patched.
The program for storing passwords Passwordstate was hacked , and the attackers distributed malware among its users. 29 thousand clients were affected. The scheme is classic: the update server was compromised, a modified executable file was sent through it.
Found and closedtrivial vulnerability in the application for the social network Clubhouse: the founder of Luta Security Katie Moussouris (Katie Moussouris) has found a way to stay in the room, being invisible to moderators, without the possibility of a ban. The attack worked for those voice chats that the malicious user had been previously admitted to.
Information leaks about not yet released Apple laptops are usually not a topic for news about information security. But last week, such data spread across the network as a result of an attack on Apple's supplier, Quanta. The organizers of the attack put pressure on the affected organization (or on Apple itself) by publishing some of the stolen information in the public domain.
Linux kernel maintainer Greg Kroah-Hartman blocked all commits from University of Minnesota staff. This happened after the publication of a study in which the authors (also university employees) tried to push knowingly vulnerable code into the Linux kernel and evaluated the ability to determine the presence of errors. Research result (source in PDF ): in 60% of cases, the curve code was accepted.