Hacker Leaks Cellebrite's Phone-Hacking Tools

In January we learned that a hacker broke into Cellebrite's network and stole 900GB of data. Now the hacker has dumped some of Cellebrite's phone-hacking tools on the Internet.

In their README, the hacker notes much of the iOS-related code is very similar to that used in the jailbreaking scene­a community of iPhone hackers that typically breaks into iOS devices and release its code publicly for free.

Jonathan Zdziarski, a forensic scientist, agreed that some of the iOS files were nearly identical to tools created and used by the jailbreaking community, including patched versions of Apple's firmware designed to break security mechanisms on older iPhones. A number of the configuration files also reference "limera1n," the name of a piece of jailbreaking software created by infamous iPhone hacker Geohot. He said he wouldn't call the released files "exploits" however.

Zdziarski also said that other parts of the code were similar to a jailbreaking project called QuickPwn, but that the code had seemingly been adapted for forensic purposes. For example, some of the code in the dump was designed to brute force PIN numbers, which may be unusual for a normal jailbreaking piece of software.

"If, and it's a big if, they used this in UFED or other products, it would indicate they ripped off software verbatim from the jailbreak community and used forensically unsound and experimental software in their supposedly scientific and forensically validated products," Zdziarski continued.

If you remember, Cellebrite was the company that supposedly helped the FBI break into the San Bernadino terrorist iPhone. (I say "supposedly," because the evidence is unclear.) We do know that they provide this sort of forensic assistance to countries like Russia, Turkey, and the UAE -- as well as to many US jurisdictions.

As Cory Doctorow points out:

...suppressing disclosure of security vulnerabilities in commonly used tools does not prevent those vulnerabilities from being independently discovered and weaponized -- it just means that users, white-hat hackers and customers are kept in the dark about lurking vulnerabilities, even as they are exploited in the wild, which only end up coming to light when they are revealed by extraordinary incidents like this week's dump.

We are all safer when vulnerabilities are reported and fixed, not when they are hoarded and used in secret.

Slashdot thread.

Posted on February 6, 2017 at 6:30 AM • 34 Comments

Comments

rFebruary 6, 2017 7:10 AM

One hand watches the other; Timex, Rolex, Apple.

Your words, will escape you. They will come home to roost in other's, oblivious to their creators intent.

Even if you're here for what you view as the good of humankind, other human's have other ideas and publication means a loss of control.

Information is agnostic to the barriers we construct in our minds, it's the reverse plaster cast of your hand when you were 12 held up for all to see fingerprint and all.

rFebruary 6, 2017 7:17 AM

It's the 50 megapixel photo of you and your father and of the iris that shapes your minds eye to the world.

We scan backwards and forwards we all scan for others and sometimes, we scan for you.

The horizon is bleak,

Don't blink, you could very well miss it.

RienFebruary 6, 2017 8:56 AM

I'm disappointed that a writer who should have known better still wrote the redundant "PIN numbers."

Slime Mold with MustardFebruary 6, 2017 8:57 AM

@r
When I was 12 (1974), a Boy Scout leader who was also a cop volunteered to show us all the really cool art of fingerprinting. I declined. My military prints are a mess.

My now retired boss often claimed I was so good at my job because I'm a crook at heart.

Sincerely,

Uncaught

MaxFebruary 6, 2017 9:12 AM

The case for disclosing bugs is actually quite weak. There isn't in any real sense a finite supply of bugs, so disclosure doesn't fix anything, it's just unilateral disarmament.

Of course it's not nice to hoard bugs, but that's a problem of ethics, not technology. Talking about disclosure as if you could fix all the bugs clouds the issue, which is niceness not bugs.

BobFebruary 6, 2017 9:17 AM

@Wm

I love this too... I always think of security companies that cater to governments as pathetic and hypocritical. They advertise being above hackers, both by their techniques and morals, but they are script kiddies fooling themselves.

WaelFebruary 6, 2017 9:57 AM

@Rien,

I'm disappointed that a writer who should have known better still wrote the redundant "PIN numbers."

Are you suggesting that @Bruce suffers from RAS syndrome?

Step 1: Assume he knows better about security and writing
Step 2: See if you can reconcile the meaning or understand the reasons he used redundancy
Step 3: If step 2 cannot be resolved, then you may be justified to be disappointed

Read the "Reasons for use" section... I see the deliberate redundancy is used here for clarification.

PIN: Personal Identification Number

Brute force PINs: Brute force a group of PIN
Brute force PIN numbers: Try every number in a set of PINs

What does one brute-force? The personal or the identification, or the numbers?

The only thing I fear now is @Bruce thank him for the correction and make an ass out of me (assume) -- that would truly suck and put a an early dent in my day.


WaelFebruary 6, 2017 10:42 AM

@Wm, @Bob,

used forensically unsound and experimental software in their supposedly scientific and forensically validated products

They're nothing short of opportunistic middlemen (women) sales organizations that project an image of top notch security organizations that are oh-so-cutting-edge-super-intelligent researchers. They buy or plagiarize from places like this blog to pleasurize TLAs who'll gladly pay tons of money for tools already freely available if they looked closer. The delta these organizations add is at best a "packaging solution" of minimal technical incremental value.

And their cunning PR and marketing folks just don't tell you how many times they "goofed" in the past (to put it diplomatically.) Ask @agent r and the "high spook" about the details...

AnuraFebruary 6, 2017 11:22 AM

@Wael

And their cunning PR and marketing folks just don't tell you how many times they "goofed" in the past (to put it diplomatically.) Ask @agent r and the "high spook" about the details...

Regarding your conversation there, the rat in The Abyss was actually breathing liquid; that wasn't special effects.

Real oxygenated fluorocarbon fluid was used in the rat fluid breathing scene. Dr. Johannes Kylstra and Dr. Peter Bennett of Duke University pioneered this technique and consulted on the film. The only reason for cutting to the actors' faces was to avoid showing the rats defecating from momentary panic as they began breathing the fluid.

http://www.imdb.com/title/tt0096754/trivia?item=tr1839442

WaelFebruary 6, 2017 11:28 AM

Yet another example of past "failures" that somehow gets spun as a @success story": The IETs they assemble ain't cuttin' it, right @Dirk Praet?

@Anura,

How about Ed Harris?

AnuraFebruary 6, 2017 11:33 AM

@Wael

How about Ed Harris?

To the best of my knowledge, there is absolutely no insurance policy that would cover that.

SofaFebruary 6, 2017 11:33 AM

@Rien
@Wael

I hope Wael doesn't mean Bruce as it is not Bruce's error. Note the inset quote block, it is directly quoted from the article linked. So the fault lies with Joseph Cox, the author of the Motherboard.vice.com article. At worst Bruce is guilty of not using [sic], but even that is optional I believe.

-Sofa

WaelFebruary 6, 2017 11:40 AM

@Anura,

No need to reply regarding Ed Harris. The link you provided describes the events. Correction:

@success story should be "success story".

@Sofa,

I hope [...] doesn't mean Bruce

I did because I failed to authenticate the message. Thanks!!! I only looked at the quoted text and didn't read the full thread description. Lesson learned, I think!

WaelFebruary 6, 2017 12:31 PM

@Sofa,

At worst Bruce is guilty of not using [sic], but even that is optional I believe.

One more thing: my comment's intent was to exonerate -- not to blame @Bruce!

Had I realized it was a quoted text, I wouldn't have said a word about it.

Clive RobinsonFebruary 6, 2017 1:29 PM

@ Wael,

"PIN number" is correct irrespective of who wrote it originally. Think about it in the possessive form "Wael's PIN" is in effect a pointer or label or description of an information object that contains a number in a standard format. Whereas "Wael's PIN number" is actualy asking for the actual number that is stored within the object, not the object.

Where people get confused is with things like "The ATM machine" which might be correct in some cases and not in others. Consider "The machine within the ATM" is the same as "The engine within the car" and in that context "The ATM machine" would be correct as it's referring to "the machine within the ATM" which is a part within the ATM. After all you would not hear people complaining about the use of "The ATM screen". It's use is often inccorect when somebody says "Go use the ATM machine".

If you want to "sprain your brain" think about the word "Buffalo" it is the lable for a species, it's also a synonym for "bully" so "Buffalo buffalo buffalo" is as correct as "Girls bully Boys"...

It's just the way the English language pans out...

AnuraFebruary 6, 2017 1:47 PM

@Clive Robinson

If you want to "sprain your brain" think about the word "Buffalo" it is the lable for a species, it's also a synonym for "bully" so "Buffalo buffalo buffalo" is as correct as "Girls bully Boys"...

I'd like to turn your attention to "Buffalo fish police":

http://buffalofishpolice.tumblr.com/

hermanFebruary 6, 2017 1:48 PM

"It's just the way the English language pans out... " Yes, but verbing of nouns weirds the language.

WaelFebruary 6, 2017 1:56 PM

@Sofa,

Psst: And if there is anyone guilty of RAS syndrome, then it's truly yours. With spelling mistakes, too!

Maaaaaybe I would have even read the RFTM

It's easy to detect "defects" in others' work. Amazing how a swift, proportional and measured punishment comes (back at me.) There is justice in this world, after all. And the frequent sets of coincidences are mind-boggling. Enough about this topic, I don't wish to detail the thread in its cradle.

I need to get back on track... but I just read the latest comment!

is correct irrespective of who wrote it...

Un freaking believable! @Clive Robinson! Work with me to recover from this unintentional digression, man! I see a yellow card in our immediate future! I don't want to read your obituary, or you mine! I hear "he's" packing a Magnum 44! And please don't talk about ammunition for the next few hours ;)

hacker broke into Cellebrite's network and stole900GB of data.

How do you think she did it?

WaelFebruary 6, 2017 2:31 PM

I say she dropped a USB thumb drive in their parking lot. Their Chief IT person found it and stuck it in the main development build server to scan it for malware. It failed the test, so he threw it back in the parking lot. He apparently forgot to see what data it "collected". Not too far fetched, yes?

RienFebruary 6, 2017 3:08 PM

@Wael

Are you suggesting that @Bruce suffers from RAS syndrome?

No; Bruce didn't write the article at Motherboard, he only quoted it.

Jonathan WilsonFebruary 6, 2017 3:09 PM

Hopefully whatever exploits the leaked tools and code are making use of get fixed by the vendors where they haven't already been fixed.

Dirk PraetFebruary 6, 2017 3:42 PM

@ Wael

How do you think she did it?

The janitor put someone's personal time machine device in his pocket, then sold it off to the highest bidder.

We once had a really cool security officer who randomly ran off with any loose laptop or other unsecured device on our desks and never gave it back until the next morning. We gradually learned to stow away, lock, hide or even glue everything we used so he couldn't take it. He was eventually fired by a spiteful MD he had sent home for having forgotten his badge. Needless to say the MD was a repeat offender who considered himself above whatever security policy.

TõnisFebruary 6, 2017 4:59 PM

Still laughing at Cellebrite, still laughing at Apple. Not even state police (probably not even the FBI) can get meaningful access to the data at rest on my password locked, encrypted BlackBerry 10 handset or its micro SD card.

Clive RobinsonFebruary 6, 2017 7:13 PM

@ Herman,

Yes, but verbing of nouns weirds the language

True, but... "weirding" gives the language a little life, colour and even "edginess". Or as noted last century in "The Language Instinct" (Steven Pinker), "The easy conversion of nouns to verbs has been part of English grammar for centuries; it is one of the processes that make English English." :-/

Also think about other ways you could "constructively" mangle a language, to use "TLA" is better than the contraction to a new word of "threeletteracronym" which might often need to becomes a noun by usage, which could be very 'anouning'1.

1 Ouch, Nurse fetch the crepe bandage I think I've twisted it a little too far ;-)

Clive RobinsonFebruary 6, 2017 7:49 PM

Back on topic sort of...

Cellebrite, has in effect stolen the work of others (jailbreak community) and used it for purposes other than originally intended by it's originators. Thus "They have done a Sony" and it would appear been reproached in a similar way.

From a philosophical point of view can morals negate each other, that is can two "negative acts" of IP theft be a "positive act" of "shaming"?

I suspect Cellebrite, will not see what they did as "IP theft" but will see the copying of their internal documents and files as a "heinous crime", such is the behaviour we oft see with those on the edge of lawful behaviour.

But it is a little less of a philosophical muse when you consider it a different way. That is consider the doctrine of "Fruit of the poisoned vine", where by evidence obtained by a crime is not alowed to be put before a jury. Cellebrite have "stolen" the work of others and passed it off as their own, this makes it "tainted" at best. Thus the question of can Cellebrite's stolen tools ever be used to conduct an investigation?

After all if Cellebrite steals to make a living they are exhibiting moral turpitude, would you dare trust them to not "Put a thumb on the scales of justice" to make even more profit?

rFebruary 6, 2017 10:01 PM

@cphinx,

The Apple likely hasn't fallen too far from the iss tee.

In the name of co-habitation and all,

al-TardaFebruary 7, 2017 8:41 AM

FBI has got to be very nervous about this. Comey's hysterical demands for an ios backdoor turned out to be a diversion from FBI's concerted effort to destroy evidence in the San Bernardino case. If it weren't for Apple's trade secrets, a CIA armed attack on the civilian population would have been exposed off the bat.

This corporate collusion with a criminal state makes Barrett Brown's kind of activism critically important. Now that he's back, we're liable to find out that the SEALs whacked the wrong gangling religious fanatic. Comey the terrorist is still at large with his database of mental defectives to frame or entrap.

i've got my fingers in your position independant executable.February 7, 2017 5:30 PM

Fail,

No body no evidence, it's amazing to me that you Russian trolls haven't been relabeled as a national security threat at this point.

I can wait.

US of DupesFebruary 7, 2017 7:07 PM


Look at you, fixating on Russian boogiemen, hiding behind Mommy government's skirts, begging Mommy for more national security, more more more, oh please, too many threats, keep me safe, while your treasonous domestic enemies in CIA and FBI blow you up in OKC (using Andreas Karl Straßmeir as a cutout), in NYC, TWICE (again and again), and with lots of little shooters and bombers (How did you ever endure the Bowling Green Massacre?) And you never learn. You've given up all your rights and freedoms like shivering sissy cowards - Why your rulers keep it up I don't know, perhaps for fun. They're curious to see how much you will submit to.

Full borne intrigueFebruary 7, 2017 7:14 PM

I don't need them to keep me safe at night, I have wu for that.

Go get your handler

Too can play at that gameFebruary 7, 2017 7:37 PM

Incase you haven't caught on yet, there's an elephant in the room. All you are doing is implicating yourselves, the smart thing to do would be to shut up and shut down; but I guess that leaks too hrm?

I'm sure it beats hard time in a Russian Gulag no?

One day you'll wake up and realize you're still in a forced labor camp, what are you going to do when it all crashes down on you?

You should be caching information, you should be caching future expenses.

A penny shaved is a penny earned, who's proofreading your books?

What would the GRU think if they found out you were hedging a bet?

Be careful in how you respond and don't take too much time because a delay means you're thinking.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.