Israeli company Cellebrite, a well-known provider of technology for unlocking and jailbreaking phones, released an update for its products less than a week after the founder of secure messenger Signal, Moxie Marlinspike, claimed that he had managed to hack Cellebrite's tool.
Marlinspike examined the Cellebrite device and found that it lacked protection against exploitation. According to the specialist, this flaw allows a malicious file to be injected into an application or phone connected to the Cellebrite device, and with its help control the tool's access to data, potentially compromising police investigations.
As reported by Motherboard, citing anonymous sources, at the beginning of the week Cellebrite released an update that fixes the vulnerability and strengthens the security mechanisms of the solutions.
According to the annotation at the disposal of the publication, the manufacturer has limited the number of products that use logical data extraction from iOS devices - now logical analysis is present only in the Cellebrite UFED software and hardware complex. Typically, mobile forensic analysis tools perform physical and logical extraction of data, with logical analysis being the simplest and most reliable method.
Although the Israeli vendor did not specify in its post what kind of vulnerability it was referring to, one of the company's customers suggested that it was a problem discovered by Merlinspike. At the same time, the released update is not a fix, but rather a way to minimize the attack surface, the source believes.
Earlier this week, Israeli technology export rights activist Eitay Mack sent a letter to Israel's attorney general asking police to stop using Cellebrite products. Letters, also sent to the Israeli police, police investigation units and the military prosecutor's office, call for the suspension of the use of the UFED "pending an investigation into its effectiveness and reliability".