Security Vulnerabilities in Cellebrite

Moxie Marlinspike has an intriguing blog post about Cellebrite, a tool used by police and others to break into smartphones. Moxie got his hands on one of the devices, which seems to be a pair of Windows software packages and a whole lot of connecting cables.

According to Moxie, the software is riddled with vulnerabilities. (The one example he gives is that it uses FFmpeg DLLs from 2012, and have not been patched with the 100+ security updates since then.)

…we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

This means that Cellebrite has one—or many—remote code execution bugs, and that a specially designed file on the target phone can infect Cellebrite.

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

That malicious file could, for example, insert fabricated evidence or subtly alter the evidence it copies from a phone. It could even write that fabricated/altered evidence back to the phone so that from then on, even an uncorrupted version of Cellebrite will find the altered evidence on that phone.

Finally, Moxie suggests that future versions of Signal will include such a file, sometimes:

Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding.

The idea, of course, is that a defendant facing Cellebrite evidence in court can claim that the evidence is tainted.

I have no idea how effective this would be in court. Or whether this runs foul of the Computer Fraud and Abuse Act in the US. (Is it okay to booby-trap your phone?) A colleague from the UK says that this would not be legal to do under the Computer Misuse Act, although it’s hard to blame the phone owner if he doesn’t even know it’s happening.

Posted on April 27, 2021 at 6:57 AM35 Comments


Mustafa Turan April 27, 2021 7:09 AM

I guess here the Cellebrite is the one to blame for keeping its software unpatched for so long to make it vulnerable to this type of attack. If a piece of software resides on a computer and it patches law enforcement computers when they collect evidence, should the developer of that software be blamed?

WhiskersInMenlo April 27, 2021 7:51 AM

Since 2012 is a long time. It seems a lot of phone data is in need of an audit.
To promptly patch and update these systems risks tainting any previous assertions of evidence. And looks like a coverup.

Sloppy at best.
Sloppy contaminates expert testimony and warrants depending on it.

Lots of turtles here.

TimH April 27, 2021 9:02 AM

re: “A colleague from the UK says that this would not be legal to do under the Computer Misuse Act”.

I can see that anything that can be summarised as hacking the Cellebrite machine would be illegal. However what I’d do is detect the Cellebrite connection, and pass across a spoofed contents of the phone.

Medo April 27, 2021 10:13 AM

I think the beauty here is that nobody needs to actually do anything illegal. The blog post may be enough to establish that it is plausible the evidence was tainted. Also, note that they did not specifically announce they would employ such exploits, they just heavily implied it (while giving technical details that basically say “good luck trying to figure out if we’re actually doing this”)

jamez April 27, 2021 12:01 PM

wait, why would it be considered illegal hacking to fight back when someone is hacking my phone?

TimH April 27, 2021 12:14 PM

@jamez: It’s still burglary if you steal stuff from the house of the person who burgled you…

Clive Robinson April 27, 2021 2:10 PM

@ Mustafa Turan,

If a piece of software resides on a computer and it patches law enforcement computers when they collect evidence, should the developer of that software be blamed?

If it were any other kind of product sold on a consumer market that software is, then the answer would be “Yes” both morally and legally (see consumer “fit for purpose” legislation in many nations).

Clive Robinson April 27, 2021 2:42 PM

@ Tim H, jamez,

It’s still burglary if you steal stuff from the house of the person who burgled you…

Wrong comparative model to use.

Look at it this way, you have a fragile vase that a burglar steels, in the process the burglar breaks it and cuts their hand badly, fails to use medical assistance and becomes seriously ill/dies of an infection.

The Cellebrite software is trespassing and taking copies of private data, it is taking by copying without the owners permission. The fact that Cellebrite developers are inept / incompetent is the sole reason this is possible, should not be used as an argument against people taking reasonable precautions to protect their privacy. Otherwise it would be illegal to have curtains at your windows such that you can have privacy.

But think of it as those money boxes used to carry currency from place to place, they have anti-tamper devices that spray dye all over the money to make it usless to the thief.

This is the principle by which these files Moxie infers might appear on phones works behind.

@ Bruce,

Is it okay to booby-trap your phone?

Wrong point of view, you are not booby-trapping your phone, other software would not suffer from these otherwise benign files.

It is purely a fault in Cellebrite software due to the two fold failings of Cellebrite,

1, By the software developers failing to do a sufficient or workman like job (which would be a crime in it’s own right).

2, Cellebrite knowingly seting up a selling-model where their software falls into the hands of people who mainly use it in manners that are either illegal or at best very moaraly questionable.

As for your UK friend, I think you should ask for their reasoning, I suspect there is a fault in their otherwise valid reasoning.

That fault being the question of who is breaking into whos computer.

That is it is the cellebrite software attacking a users passive phone, not the users phone attacking the cellebeite system.

@ ALL,

There is an old saying from William Shakespeare, that applies rather more apptly for Cellebrite than it does for many other uses.

That is Cellebrite,

“Are hoist by their own petard”

Which alone is reason enough to raise a smile.

Privacy is security April 27, 2021 2:45 PM

Hacking somebody’s phone is illegal. to begin with.
It’s recently been ruled that hacking back in self-defense is perfectly legal.
Why not do this in every install?

SpaceLifeForm April 27, 2021 3:04 PM

That did not take long. There is another case in the works.

Lawyer Asks For New Trial After Cellebrite Vulnerability Discovery

A defense attorney has asked a judge to grant their client a new trial after Moxie Marlinspike, the founder of popular encrypted messaging app Signal, found security issues with mobile phone forensics hardware made by Cellebrite. The case heavily used evidence collected by a Cellebrite device, according to the motion for a new trial obtained by Motherboard.

JonKnowsNothing April 27, 2021 3:49 PM


The existence of the safe-file is like a warrant canary. One that gets exchanged at some random(?) time interval. The canary file does not exist on all phones; it’s on some phones and not others.

It would seem that there is a trigger that happens when the file is scanned or checked, that begins the data-scramble. It’s not clear that the data-scramble happens on phones that do not have the warrant canary.

The canary file appears to be targeted for phones of “high value VIP” types, but often the path of most LEO success is with the lesser-minnows where data might be extracted easier, because they may be less aware of their target value.

The ability to change data without audit traces, has been known for some time now. It’s not a new factor in the data-scarfer-races. It’s only been a matter of time and legal interest to challenge all digital data for integrity. There is no guarantee that any data on the web, archives, in digital format has not been tampered with.

The only reason it has not been challenged so far, has been a “public belief” that data has not been altered because the LEOs normally present their findings as “un-challenged fact”. Recent discussions on: time, forensics and other similarly submitted “science” has reviewed a number of flaws in these beliefs.

There is also the condition of Bad Programming producing Bad Data that appears to be Good Data but takes a lot of digging to find out that it’s not. In the USA the State/Feds have unlimited access to funds, science, investigators for the prosecution. The defendant has “his pocket-wallet” and public defenders cannot compete with the scope of resources arrayed against them.

It is one factor in “plea bargaining” systems, to declaim to the court you are guilty when you are not, in order to avoid longer jail terms and fines. The data against you goes unchallenged as “fact”.

In the USA, UK and AU such bargaining now leads to some serious situations. People are having their citizenship stripped and being deported to “ancestral homelands” based on the up-scaling of charges to hit the “threshold” for deportation and citizenship revocation.

iirc(badly) tl;dr

A person received an automatic ticket for running a red light. In the USA the fine is high and you get demerits on your driving record. If you garner enough demerits you lose your license to drive and much that goes with it.

  Driving is a Privilege not A Right – USA

The person was certain they had not run the light and challenged the ticket. Pictures and timestamps showed the light red when the car passed the intersection.

The person was able to hire some good lawyers and tech folks to look into the automated red light ticket system. All checked out.

It looked like the person would have to pay the fines and take the demerit.

One of the tech persons, went physically to the street in question and looked for the pressure trigger lines in the street. There was a problem.

It turned out the street had been repaved and the street paver has replaced the pressure lines some distance away from their original spec location. The trigger went off sooner than it was supposed to.

A whole lot of folks had gotten red light tickets that never ran the light. They paid the fines and took the demerit to avoid the hassle of paying lawyers and court costs.

Only the one person, knowing the data could not be true challenged the system.

Weather April 27, 2021 4:26 PM

It goes along the lines of wireshark exploits, and certain file formats that if a parser program like recycle bin reads, it corrupts it.
I’m guessing, but I doubt the patch they released acutely fixed the first part of the path that caused the exploit, more like mov eip 0x41414141 they changed to xor esp, ebp, saying that I don’t think they should be to cock sure at this stage.

SpaceLifeForm April 27, 2021 5:32 PM

@ Weather

You are missing the point.

An exploit does not have to exist, just the possibility that an exploit can exist. Which certainly is the case. This is Windows.

Cellebrite is dancing in a Security Threatre.

There is ZERO CHANCE they are trustable.

Karellen April 27, 2021 5:58 PM

I have no idea how effective this would be in court. Or whether this runs foul of the Computer Fraud and Abuse Act in the US. (Is it okay to booby-trap your phone?) A colleague from the UK says that this would not be legal to do under the Computer Misuse Act

I wonder – some reasonable levels of protection of private property that might pose a small danger to intruders are often permissible if suitable warnings are prominently posted. If you had a sticker on the back of your phone saying “Device protected by Signal counter-hacking measures.”, or “By connecting to this device, you grant its owner permission to access yours in return.”, or similar, might this provide a plausible defence against people trying to breach your device without your consent?

Weather April 27, 2021 6:49 PM


No I’m not, I’ve always said you shouldn’t use computer evedince in court, and I think I said it on this site. I was explain to another poster you could compare wireshark and celbrite exploit as the same logic.

Nik April 27, 2021 7:13 PM

I used to work for computer forensic company. I remember undergoing GREAT pains to harden the software against corrupt/malicious files. It slowed development and code writing, but was the right thing to do. We used static code analysis, fuzzing, code reviews, crash dumps, code coverage and other tools.
I still remember one corruption where the processes would disappear – this was due to such corrupted memory that when windows tried to write a crash dump it crashed (in the crash handler) making the process disappear.
I the wrote an out of proc debugger that then wrote a dump file out.

In later years wrong people were hired and things went down the tubes.

On a related note, the company had their own version of cellebrite including a farady bag with copper fabric and such. This was before cellebrite and back then there were 200+ connectors to tap into the JTAG/diag connectors to read out physical EEPROM.

The file system was then re-built from that.

The myriad of different phones with tiny lifetimes killed that product. Unlike now where Iphones and samsung are 50% of the market

Weather April 27, 2021 7:25 PM

I haven’t worked for fresic, but I did download from a Romaine site what police used, didn’t do to much experiment, it stop write access, own hardware, and f$$k a USB port, but its a minimal interface, just hash, and copy.
The hash process could have a bug, the keneral hardware DLL or the main program.

The overview… Not every low life is a good guy…normally its chacter.

Nik April 27, 2021 7:40 PM


Oh yeah, that brings back memories of USB write-blockers. The company developed a “software one” then later acquired a hardware based-company.

Most of the issues are in the parsing; acquisition is just copy a block of bytes over.
That being said there were issues in the USB device auth that could reboot[1] the system… and it was never tracked down. Too expensive

[1] I also got a NTFS drive that caused a blue screen on boot. when booted into safe mode it would NOT blue-screen. Where was the KERNEL bug?

In the NTFS driver! Specifically in the $Log file. it was corrupted. The $Log file helps unroll transactions in the case of a crash. Usually. This time a length field was 0xffffffff, that caused a buffer overflow/memory corruption.

It blue-screened machine that the dive was plugged into ( via USB )
I made a flash drive out of it and thus was able to prank a deserving cow-worker.

I also reported this to MSFT and it was patched. I was too busy to see if this could yield kernel code execution

QM April 28, 2021 3:10 AM

My new phone wallpaper will just be plain text saying, “Cellebrite Defender Installed”.

BenFDC April 28, 2021 1:50 PM

Old chess maxim: the threat is stronger than the execution. There’s no need for Signal to download exploits; the damage is already done.

Patrick April 28, 2021 2:11 PM

Looking at this from a different angle: How easy might it be to send someone a handcrafted file which makes them look guilty when their phone is scanned by Cellebrite?

Clive Robinson April 28, 2021 2:55 PM

@ Patrick,

How easy might it be to send someone a handcrafted file which makes them look guilty when their phone is scanned by Cellebrite?

Just as easy as sending any other file…

It’s why I say,

“Technology is agnostic to use. Good or bad are points of view on the intentions of the Directing Mind.”

If lawyers start getting convicted defendents found not guilty on appeal because of Cellebrite’s failings, you will see something odd happening. That is rather than go after Cellebrite, the prosecutorial side of the justice system will fight every which way it can including faking up evidence to stop the convictions being reversed.

It’s just one of the reasons the US justice system still gives credence to “lie detector tests” and many “forensic ideas” that are not just silly nonsense but have been fully debunked beyond any shread of a doubt scientifically.

Because you have to remember the US justice system is in reality a “Points make Prizes” system. Where the object is not about justice, but who has more “notches on their gun”. Thus the Upton Sinclair observation[1] applies, and no matter how compelling the evidence is for innocence it will be ignored as it has a serious effect on career trajectories.

[1] Back in the 1930’s Upton Sinclair observed some what dryly,

“It is difficult to get a man to understand something when his salary depends upon his not understanding it.”

Oh he also observed what might be a snapshot of the fate of the wrongly convicted,

“Human beings suffer agonies, and their sad fates become legends; poets write verses about them and playwrights compose dramas, and the remembrance of past grief becomes a source of present pleasure – such is the strange alchemy of the spirit.”

JonKnowsNothing April 28, 2021 5:10 PM

@Patrick @Clive

re: How easy might it be to send someone a handcrafted file which makes them look guilty

It doesn’t have to be handcrafted nor sent by a 3Letter/LEO, it only has to be a file marked/defined as “prohibited”.

It can be sent by anyone, at anytime or preexist on the device as in preloaded or side loaded by “others”.


A rather appalling situation occurred in the UK not that long ago.

A highly respected senior member of the policing services was convicted, sentenced, discharged from their job for having a “prohibited” file on their device.

The file in question had been sent by a well-meaning member of the family in attempts to get the police to “do something about this”. The file was a type marked “prohibited”.

The police officer never saw the file, never opened the file, but was found guilty on the basis that file existed on the device ergo: Guilty by Default.

iirc The person has now completed most of the fixed sentence but will continue to endure a lifetime sentence associated with the file.

Such files are not uncommon and a common theme in discovering them is Taking Your Computer In for Service/Maintenance/Upgrade/Virus Removal at tech stores both Large and Small.

Clive Robinson April 29, 2021 4:51 AM

@ JonKnowsNothing,

It can be sent by anyone, at anytime or preexist on the device as in preloaded or side loaded by “others”.

Or as a part of someone doing their job…

Back in the 1990’s there was usenet[1] and all it’s myriad of newsgroups including the “alt.” branch where by volume around 99% of the traffic occured.

Administering a Usenet server is recognised as one of the hardest jobs there is to do which is why many ISP’s either do not have servers or significantly pare back the branches and news groups covered.

Socially there was the “3G problem” of “Girls, Gambling and games” and various other sins. But “sex” in it’s various information forms was fairly rampant. As this was the most often prohibited branches and newsgroups, “crossposting” into other newsgroups and branches was a very serious issue.

The question back in the 1990’s was how to keep it out…

One standard method was for the admin to accept the unwanted newsgroups and branches and use them to build a table of “file names, sizes and checksums”. This table was then used to compare all other files to and stop them being seen on the server if they matched in any way.

The problem with this is usenet is a very distributed system and has complex updating effects which means no central authority to build such a table so it all had to be done local to the server.

A friend who worked at a large organisation had the usenet admin duties dumped on him, a job he did not want to do because it is at the very best a thankless one with people complaining about postings going missing or newsgroups not being available etc. And on top of that the 3G problem, which was in direct contravention of the organisations “User Policy”…

Well there was a long history of emails from my friend to “managment” involving the issues with 3G and the user policy over more than a year including managment signing off on various procedures and activities. As a result he became very unpopular with managment that was at best lazy and incompetent.

My friend had other thankless admin duties loaded up on him including “mail administration” which all blew up one day when a departmental admin made a series of changes to their mail system without going through the change procedure. So the first my friend new something was wrong was when he got complaints via the central computing services user help desk. Even though he could prove beyond any doubt he was not to blaim, he was found guilty by way of “not communicating propperly with departmental administrators” which he appealed. Unfortunatly he was not in a politically strong position and his cards were rather more than marked from that point on.

Due to poor managment staff relationships there was a staffing issue and an over paid contractor was brought in, who started throwing his weight around in areas he had no jurisdiction in and he rubbed backs up the wrong way and things got broken like the package managment system on the Sun Boxes. Thus my friend made a formal complaint to his line manager. The result more senior managment decided it was time for my friend to not just be got rid of but got rid of in the most harmful way possible.

Basically they decided that as he had “obscene material” on the systems he managed he was to be terminated that way…

He asked me to defend him which I agreed to do.

It quickly became clear that the organisation had no intention of backing down and they did all sorts of tgings wrong and it got so bad I ripped seven kinds of hell out of their resident Barrister for his failings infront of the most senior of managnent, which he did not like especially as they were recording it at the time, thus it became “evidence” they could not hide.

The upshot was the organisation circled the waggons and went into full denial mode even though there were hundreds of emails and other recorded communications and evidence against them. They dragged it out to the courtroom where they were advised by their own council to take the judges advice and negotiate. Where upon they capitulated almost entirely, but my friend was not getting his job back…

As I’ve mentioned before not long afterwards the organisation got raided by the UK security services (Specialbranch/MI5 on behalf of MI6) over somebody named David Shayler[2]. Unsurprisingly it was distinctly embarrassing for the organisation and it’s then leader who had a “Free Press Reputation” that got held up as the false hood some of us already knew it to be, and was publically destroyed…



Yes the article is nearly twenty years old and importantly written before 7/7 in 2005, but very little has changed in the organisations other than a reshuffle of deck chairs, new logos and a lick or three of paint. As for those individuals well the strain has caused more problems than many would realise.

The last I heard she had become a civil rights campaigner in South East London.

SpaceLifeForm April 29, 2021 5:38 PM

@ RudyGiuliani

Just keep on keeping on. It’s all good now.

For you, Signal is perfect on iPhone.

The Cellebrite Physical Analyzer – the most intrusive phone-cracking tool offered by the company – no longer supports the direct extraction of iPhone data, according to a document shared with us. This follows the discovery and exploitation of a vulnerability by secure messaging app Signal.

Oh, wait. Did I miss that you lost your phone yesterday? My bad.

SpaceLifeForm April 30, 2021 2:03 AM

@ RudyGiuliani

You know about pics, right?

Not talking about the one with your hand in your pants, or the pics from Four Seasons Total Landscaping.

Maybe, you should turn States Evidence.

I say this because Signal is not really secure, especially if the other end is doing CYA.

The sooner you flip, the better off you will be.

Oh, and don’t forget about Nunes. He may have already flipped.

A series of private messages starting in late 2020—also recently obtained by The Daily Beast—shows a number of exchanges between Greenberg and Stone conducted over the encrypted messaging app Signal, with communications set to disappear. However, Greenberg appears to have taken screenshots of a number of their conversations.

“If I get you $250k in Bitcoin would that help or is this not a financial matter,” Greenberg wrote to Stone, one message shows.

“I understand all of this and have taken it into consideration,” Stone replied. “I will know more in the next 24 hours I cannot push too hard because of the nonsense surrounding pardons.”

“I hope you are prepared to wire me $250,000 because I am feeling confident,” Stone wrote to Greenberg on Jan. 13.

SpaceLifeForm April 30, 2021 3:00 AM

@ RudyGiuliani

One more point. As you are allegedly a lawyer, you should know that search warrants have specificity.

That is why the FBI was not there to take any alleged Hunter Biden harddrives.

That do not exist.

So, keep lying and digging your hole deeper.

Steve April 30, 2021 3:13 PM

Can someone please explain to the uninitiated, i.e., me, what “phone number sharding” is?

I tryed searching but only found results for database sharding, which I sort of understand and assume is irrelevant in this context.

SpaceLifeForm April 30, 2021 6:11 PM

@ Steve

Exactly. Irrelevant. You get it. It is a joke.

The point of the point is that LE and Cellebrite have no way of knowing.

SpaceLifeForm April 30, 2021 6:57 PM

@ Steve

An example of phone number sharding in this instant case would be:

Lets download a file to phones that have a even number in the third to last position, and an odd number in last position.

Or something like that.

See the dilemma?

1&1~=Umm April 30, 2021 8:49 PM


“phone number sharding”

Sharding is a word like “breaking” or “cutting” or “shattering”, it’s not specific to any thing in particular.

Loosely it means,

“Taking something whole and breaking or shattering it down randomly into shards”.

Implying the something is an object of a type that actually can be broken into random but distinct pieces that can be placed back together as a whole.

A china plate for instance if dropped will often break into just a few large random pieces that if placed carefully together with the right sort of glue will appear as though unbroken.

Thus to use bad english “The plate has been sharded and restored”.

So much for tangible physical objects, the term is also used with intangible information objects, a database being one of many such objects.

In times past we had “Russian coupling” which was a technique with hand ciphers. The cipher text was broken into two or more seemingly random blocks at places known only to the two communicating parties. The pieces were then rearanged out of order in some apparently random pattern again known to the two parties. The purpose was often two fold,

1, To make cryptanalysis harder by moving encrypted “known plaintext” such as formal headings/salutations and likewise standard endings into the body of the ciphertext.

2, To help hide plaintext “message indicators” again by moving them from the start or end of a message into the body of the ciphertext.

The process of breaking the ciphertext up is “sharding” though you won’t get to hear it used that way these days. Like other terms such as a “British museum” attack, those who used them have passed into history and taken their “lingo” with them.

But like “other terms of art” the word is “overloaded” and has slightly different meanings in different “domains of art/endevor”.

I suspect the important point in this case is the word “random”. That is a “random selection” of users –ID’d only by their phone numbers– will be selected, and at “random times” be sent one of these Easter Eggs. With “random time” being from before the anouncment to some time long in the future (if at all).

I suspect other projects will do something similar and put it in the EULA as a requirment of use. Using appropriate language such as “for security testing research purposes” thus slide it in under DMCA etc exemptions.

Look on it if you like as the legacy of William Barr, and Louis Freeh (possibly the worst director of the FBI ever).

JonKnowsNothing April 30, 2021 9:18 PM

@Steve, @All

re: Sharding

Sharding can also refer to the creation of multiple game servers where each server has a complete set of code and is independent of any other set of servers.

Many games run multiple “worlds” or “shards”. Normally such worlds are mirrors of each other but with no interconnection. They each stand alone.

Some games run special shards which are limited servers. They may have stripped down code (Legendary) or limited time (Tournament) uses.

Legendary/Classic are often retro-code servers that mimic earlier game play. They often have a hard-cap for player advancement and focus on quests/activities associated with lower level players. Periodically the cap levels will be raised and the matching game content will be released onto the Legendary/Classic server.

Legendary/Classic servers can be popular because they are not focused on getting to Max Level Fastest and spend more time (months) on “completionist” activities.


  • Completionist = a player that wants to do all activities/quests/achievements/deeds/collectables and special events(holiday specials).
  • After players have done Max Content many times, it’s a nice change to slow down and enjoy being Level 5 for a while. Just watch out for the wolves.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.