Extraordinaria respuesta del fundador de Signal dirigida a Cellebrite—una empresa dedicada a vender software para extraer información de dispositivos y aplicaciones cifradas y muchas veces ha sido señalada por hacer negocios con gobiernos autoritarios como Venezuela, Rusia y China—quien recientemente anunció la supuesta capacidad de romper el cifrado de la app de mensajería.

Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands.

Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse “untrusted” data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.

Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.

La publicación describe lo que encontraron con más detalle, incluyendo el hecho de que han copiado las DLLs de Apple en su software—seguramente sin permiso.

El artículo me recordó una pregunta que me he hecho en mucho tiempo. ¿Por qué no hemos reemplazado WhatsApp con Signal? Es la aplicación de mensajería más segura y privada de su clase, no tiene cambios repentinos en los términos y condiciones de servicio y no está desarrollada por ya saben quién.