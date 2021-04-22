- Advertisement -

- Advertisement -

- Advertisement -

- Advertisement -

The web has been turned upside down with the latest news that Signal CEO Moxie Marlinspike has been able to hack one of the US police’s favorite phone decryption tools. The news first came through a post on Signal’s public blog.

Within it, Marlinspike explains in detail the vulnerabilities it found in the tools of Cellebrite, the Israeli company in charge of developing the programs most used by the police.

This news is not only surprising because of the fact that the company was violated, but also because the CEO did not notify the company in advance of his discoveries, a practice that is usually the most common in the medium today.

Signal CEO managed to hack the police tool without much trouble

Within his post, the CEO of Signal stated that Cellebrite’s software was surprisingly unprotected. And that, in fact, the “Industry standard exploit mitigation defenses.” In addition to the fact that, in addition, many possibilities were found to exploit other vulnerabilities.

“Until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is not to scan the devices,” wrote Marlinspike.

This is because, as explained in the blog post, Cellebrite vulnerabilities can be exploited in very dangerous ways. For example, programs within devices scanned by the Israeli company’s tools could be used to filter out a driver. In this way, they could edit both the documents already scanned and collected, as well as those that will come.

Undetectable control

The scope of this vulnerability is much greater than what is initially seen. To show this, the CEO of Signal explained that if a Cellebrite tool is hacked, the perpetrator could:

“(…) [alterar los datos] in any arbitrary way (inserting or deleting text, email, photos, contacts, files or any other data), with no detectable time stamp changes or checksum failures”.

As a consequence, evidence from police cases would be compromised if someone else succeeded in repeating the feat of the Signal CEO and hacked into the Cellebrite tool. Hence, Marlinspike’s advice is then to avoid the use of these elements until the vulnerabilities are addressed and fixed.

Read also:

Signal: know the origin of the messaging app that could take the throne from WhatsApp

.