Security Week 17: Vulnerabilities in Phone Hacking Hardware

Interesting news from last week – study the creator of the secure messenger Signal Moxie Marlinspike, dedicated to the tool for downloading data from smartphones by Cellebrite. This tool consists of hardware for connecting to various smartphones, other mobile devices and software for Windows. This complex is not engaged in “hacking” in the classical sense: Moxie compares his work with the actions of a police officer who takes your jailbroken phone and rewrites all messages from instant messengers. Naturally, the complex automates this task.

Cellebrite and Signal are thus on opposite sides of the ideological front. Cellebrite’s solution is used by law enforcement agencies around the world to gain access to data that a user would like to keep confidential, including Signal correspondence. The goal of Signal is to make sure that chat correspondence is not available to anyone other than subscribers. The most vulnerable link in this communication is the user’s smartphone: if you get access to the unlocked device, you can see all the correspondence. The Signal creator got access to the Cellebrite device by unknown means and found vulnerabilities in its software.

How he managed to get the device, Moxie does not explain, more precisely, explains vaguely: he was walking down the street, and here on you, a complete set for analyzing mobile phones lies on the asphalt. Naturally, manufacturers of such pieces provide access to their equipment only to trusted organizations, and Signal is not among them. The researcher analyzed software, which, based on the problem, includes many data parsers from different applications. Such handlers are in all cases a breeding ground for vulnerabilities, and the ffmpeg set of codecs is given as an example. These libraries are used by Cellebrite UFED’s multimedia parsing software, and Moxie discovered an outdated 2012 release. Since then, over a hundred security patches have been released for ffmpeg.

As a result, without much difficulty, Moxie found a vulnerability that leads to the following: if Cellebrite reads a “prepared” file on the phone, it becomes possible to replace the data in the generated report. And even change previous reports or guarantee changes to future reports. This is a thick hint that Moxie was able to gain full control of the software through a vulnerability in the data parser. At the end of the publication, Marlinspike reports that the latest update of the Signal messenger will contain an additional file that has absolutely no effect on functionality. The file is not interesting at all, it is recommended not to pay attention to it. That is, it is possible (although it is not directly mentioned) that analyzing the phone with the installed Signal messenger can spoil the data generated by the complex for collecting evidence.

And this is, of course, a very strange story. First, it is customary to report vulnerabilities to the manufacturer so that they can be repaired. Using them to your advantage is the lot of the dark side. And the fact that you personally do not like software with a vulnerability for some reason is not an argument for such actions. Secondly, what happens – an exploit will be distributed with a legitimate messenger? Let’s assume that the Signal creator was joking. Or not? In any case, this is an interesting example of moral pressure on an ideological adversary, albeit completely outside the boundaries of normal hacker ethics. In general, he tells us that it is worth thinking about the security of even those tools that are used far beyond the lines of protection of the corporate network. It is they who, under certain circumstances, can be the weakest link.

What else happened:

Investigation of vulnerabilities in security systems with a sad result: problems, discovered by Eye Security, allow you to disarm a room remotely. More than ten thousand installations (mainly in Germany) have been affected, only a thousand patched.

Hacked password storage program Passwordstate, the attackers distributed malware among its users. 29 thousand clients were affected. The scheme is classic: the update server was compromised, a modified executable file was sent through it.

Found and closed trivial vulnerability in the application for the social network Clubhouse: the founder of Luta Security Katie Moussouris (Katie Moussouris) has found a way to stay in the room, being invisible to the moderators, without the possibility of a ban. The attack worked for those voice chats that the malicious user had been previously admitted to.

Information leaks about not yet released Apple laptops are usually not a topic for news about information security. But last week, such data spread online as a result of attacks to Apple supplier Quanta. The organizers of the attack put pressure on the affected organization (or on Apple itself) by publishing some of the stolen information in the public domain.

Linux kernel maintainer Greg Kroah-Hartman has blocked all commits from the University of Minnesota staff. It happened after the publication research, during which the authors (also university employees) tried to push knowingly vulnerable code into the Linux kernel and evaluated the ability to determine the presence of errors. Research result (source in PDF): in 60% of cases, the curve code was accepted.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *