Delightful post from Signal founder Moxie Marlinspike, regarding Signal’s reverse-engineering of a Cellebrite device for hacking into locked iPhones (they recently claimed to be able to read local files stored by Signal):
For example, by including a specially formatted but otherwise
innocuous file in an app on a device that is then scanned by
Cellebrite, it’s possible to execute code that modifies not just
the Cellebrite report being created in that scan, but also all
previous and future generated Cellebrite reports from all
previously scanned devices and all future scanned devices in any
arbitrary way (inserting or removing text, email, photos,
contacts, files, or any other data), with no detectable timestamp
changes or checksum failures. This could even be done at random,
and would seriously call the data integrity of Cellebrite’s
reports into question.
Any app could contain such a file, and until Cellebrite is able to
accurately repair all vulnerabilities in its software with
extremely high confidence, the only remedy a Cellebrite user has
is to not scan devices. Cellebrite could reduce the risk to their
users by updating their software to stop scanning apps it
considers high risk for these types of data integrity problems,
but even that is no guarantee.
We are of course willing to responsibly disclose the specific
vulnerabilities we know about to Cellebrite if they do the same
for all the vulnerabilities they use in their physical
extraction and other services to their respective vendors, now
and in the future.
Lots more than this — including the fact that Cellebrite is embedding DLLs from Apple in their software.