Hackers have published tools Cellebrite for hacking iOS
UFED Touch Ultimate: a complete solution for mobile forensics
About a month ago, a group of unknown hackers announced the hacking of the Israeli company Cellebrite , which sells law enforcement agencies around the world the Universal Forensic Extraction Device (UFED) hardware and software system for hacking and copying data from any mobile phones. Similar tools for forensic examination makes the Russian company " Elcomsoft ". It was Cellebrite who was rumored to have helped the FBI hack an iPhone 5C phone under iOS 9, owned by a San Bernardino terrorist, who became a stumbling block in the loud conflict between Apple and the FBI .
In January, hackers provided an archive of 900 GB of files received from Cellebrite servers to prove the editors of Motherboard’s edition. The seized files include customer lists, databases, and a large amount of technical information about Cellebrite products. The initial analysis of Cellebrite customer data shows that among its customers were law enforcement agencies from countries such as Russia, the UAE, and Turkey.
The entire archive of 900 GB has not yet been published, there is a lot of confidential information. But today, hackers have laid out the online commercial binaries for Cellebrite, which it sells to its customers as part of a software and hardware system for hacking Apple smartphones.
')
Links to files with the statement of a group of hackers published on Pastebin .
Files are hosted on Mega hosting. Unfortunately, within a few hours after the publication, the files were deleted from the Mega hosting service, but the mirror could not be found (UPD: but the ValdikSS user did it , the mirror ).
But in the first hours after the publication, an expert on information security and a well-known expert on hacking macOS and iOS, Jonathan Zdziarski, managed to get acquainted with these tools. His opinion is very curious to know.
Cellebrite robbed jailbreak community?
In a dump published today, there are exploits for circumventing protection in iOS smartphones, “specially designed routines for decrypting this security protection”, a demonstration file .eas (DLL for working with specific devices and applications) and .epr files (bootloaders, exploits and shellcode) .
Hackers note that some of the Apple exploits are very similar to the standard tools available to every young teenage hacker who plays with jailbreaks for the iPhone. These are publicly available jailbreak tools that are actually sold to government agencies in a beautiful “wrapper” for tens and hundreds of thousands of dollars. In this regard, it is recommended to pay special attention to .epr for Blackberry.
Along with the files in the first dump are decrypted and fully working Python scripts to use these exploits.
Code for one of the scripts
import os import sys import random class CellebritePython(object): init_tbl =[ 0x67, 0x3B, 0x9D, 0xE0, 0x44, 0xB4, 0xBF, 0x06, 0xD0, 0xA3, 0x46, 0xFF, 0x66, 0xA9, 0x5D, 0x13, 0x05, 0x8A, 0xF7, 0xC6, 0x6F, 0xF9, 0x32, 0x16, 0xCC, 0x0D, 0xFC, 0x3D, 0x6F, 0x76, 0x26, 0xF2, 0x00, 0x2E, 0x1B, 0x69, 0x9F, 0x58, 0xE3, 0x6C, 0x43, 0xF0, 0xE3, 0x9E, 0xF4, 0x86, 0x14, 0xDE, 0xF9, 0x29, 0x04, 0xF9, 0xED, 0x3F, 0x60, 0xE6, 0xD1, 0xD5, 0x76, 0xE4, 0x7A, 0xA8, 0x5C, 0xE0, 0xFD, 0x8D, 0xE6, 0x4B, 0xAB, 0x91, 0x8E, 0xF5, 0x6A, 0x97, 0x4C, 0x86, 0x87, 0x43, 0xE2, 0xA7, 0x23, 0xEA, 0xE1, 0xA7, 0x03, 0xB6, 0xE9, 0x34, 0xCD, 0xFD, 0x50, 0x78, 0xCC, 0xE9, 0x8E, 0xEE, 0xC6, 0xC2, 0x6B, 0xA2, 0xD9, 0x05, 0xBC, 0x09, 0xEA, 0x36, 0x82, 0xC2, 0xD8, 0x29, 0x4E, 0x9D, 0xBC, 0x0A, 0x58, 0x86, 0x9F, 0x0D, 0xD7, 0x21, 0xBC, 0x9F, 0x22, 0x34, 0xC9, 0x63, 0xBB, 0x77, 0x66, 0x4A, 0xA2, 0x1F, 0xA0, 0xCE, 0x49, 0x4F, 0x6C, 0xB7, 0xB6, 0xCC, 0x5A, 0x1A, 0x33, 0xFB, 0x3D, 0x13, 0xFB, 0xAB, 0x51, 0xC4, 0xE1, 0x5B, 0x1D, 0x6B, 0x5D, 0x2C, 0x2A, 0x5A, 0xEB, 0x6D, 0x13, 0xA9, 0x7D, 0xD7, 0x2F, 0xBE, 0x12, 0xE3, 0x09, 0x5E, 0xD4, 0x3F, 0xEB, 0xC5, 0xA0, 0x1D, 0x45, 0xF1, 0xE2, 0x72, 0x4A, 0x9D, 0xF7, 0xA0, 0x4F, 0xC5, 0x99, 0x91, 0x30, 0x6F, 0x26, 0x99, 0xAC, 0x74, 0xE3, 0x8D, 0x1C, 0xAD, 0x0A, 0xF3, 0xEA, 0xA1, 0xD7, 0x35, 0xFF, 0x02, 0x8A, 0xB8, 0x8E, 0xA0, 0xE9, 0xAC, 0x77, 0x47, 0x53, 0xFC, 0xB5, 0x8E, 0x81, 0xEF, 0xF5, 0xCA, 0xAF, 0x26, 0x58, 0xF7, 0xB8, 0x68, 0x91, 0xDE, 0xC6, 0x6E, 0x3A, 0x99, 0x48, 0x93, 0xCD, 0x8E, 0xD8, 0xB0, 0xA1, 0x64, 0xFA, 0xE5, 0x58, 0xDF, 0x35, 0x18, ] def __init__(self): self.buff=bytearray(0x100) self.curr_offset=0 self.sumvar=0 def randomBytes(self,n): return bytearray(random.getrandbits(8) for i in range(n)) def init_table(self): for t in range(0xf8): self.file_data[t]^=self.init_tbl[t] for t in range(0x100): self.buff[t]=t sumvar=0 for t in range(0x100): val=self.file_data[t%0xf8] val+=self.buff[t] sumvar+=val sumvar&=0xff self.buff[t],self.buff[sumvar]=self.buff[sumvar],self.buff[t] def get_char(self): char=self.file_data[0xf8+self.curr_offset] self.curr_offset+=1 char2=self.buff[self.curr_offset&0xff] self.sumvar=(self.sumvar+char2)&0xff self.buff[self.curr_offset&0xff],self.buff[self.sumvar]=self.buff[self.sumvar],self.buff[self.curr_offset&0xff] char2=(self.buff[self.curr_offset&0xff]+self.buff[self.sumvar])&0xff return char ^ self.buff[char2] def decrypt(self,filename): buffer=bytearray() with open(filename,"rb") as file: self.file_data=bytearray(file.read()[4:]) self.init_table() for t in range(len(self.file_data)-0xf8): buffer.append(self.get_char()) return buffer def encrypt(self,filename): buffer=bytearray() self.file_data=bytearray() crypto_header=self.randomBytes(0xf8) self.file_data+=crypto_header with open(filename,"rb") as file: self.file_data+=bytearray(file.read())+b'\xff\xff' self.init_table() for t in range(len(self.file_data)-0xf8): buffer.append(self.get_char()) return b"CELL"+crypto_header+buffer filename="site.py" enc = CellebritePython() with open(filename+".dec","wb") as file: file.write(enc.decrypt(filename)) Jonathan Zdzierski says that the Cellebrite binaries really are very similar to the jailbreak tools that are distributed as part of the QuickPWN project. They were only adapted for forensic examination. For example, one of the program modules in the dump is designed for brute force pincode, which is not part of the normal jailbreak program.
If Cellebrite used these programs in its software and hardware complexes UFED and other products, it means that they “robbed” the jailbreaker community and used untested and experimental software as part of their commercial products, Zdzarski believes.
A representative of the company Cellebrite officially stated that the submitted files are part of the Cellebrite software package and are available to customers, while they are distributed without source codes. He added that the specialists of Cellebrite constantly monitor the latest developments of the hacker community, new methods of hacking, research tools, including jailbreaks.
Second dump
In the near future, hackers promise to post a second dump of files. It should have “a small selection of files received via the Cellebrite update server installed on devices and desktop computers under MS Windows (with SYSTEM privileges) within the client's infrastructure”.
In the second dump, a report should be published with an analysis of the “compression and obfuscation techniques” used in Cellebrite products commissioned by the UK Department of Defense, as well as the versions of programs with protection removed delivered by order of the General Directorate of Special Forces US MoD or SOCOM) and other organizations.
Watch for releases on Pastebin.
A month ago, it was reported that among the data received from the Cellebrite server is a web server cache with the names and passwords of users who logged in to the MyCellebrite portal. This section of the site is intended only for company customers. After the publication of articles in the Motherboard edition, Cellebrite officially acknowledged the fact of hacking of the “external web server” with the backup database of MyCellebrite accounts. On this occasion, an investigation was ordered. The company assured customers that there is nothing particularly confidential in the data leakage, only hashes of user passwords that have not yet migrated to the new user account accounting system. But an independent examination of the Motherboard showed that the 900 GB dump is much more than Cellebrite admits.
Source: https://habr.com/ru/post/373131/
All Articles