Software developed by data extraction company Cellebrite contains vulnerabilities that allow arbitrary code execution on the device, claims Moxie Marlinspike, the creator of the encrypted messaging app Signal.

Cellebrite products are commonly used by police and governments to unlock iOS and Android phones and extract data on them. Last December, the company announced that its Physical Analyzer also gave access to data from Signal. In a blog post earlier today, Marlinspike, a cryptographer and security researcher, said that Cellebrite’s software works by parsing data that comes from an untrusted source. This means that it accepts input that may not be formatted correctly, which could trigger a memory corruption vulnerability that leads to code execution on the system. Because of this risk, one would assume that the developer was sufficiently careful to set up protections or use code that is not susceptible to vulnerabilities.

Yes one would really expect if the business of your company is to hack devices to give access to law enforcement etc, that you’d be savvy enough to protect your own computers ;-)

See https://www.bleepingcomputer.com/news/security/signal-ceo-gives-mobile-hacking-firm-a-taste-of-being-hacked/

#technology #security #hacking #cellebrite