# Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective > *This is the April 21, 2021 post on Signal's official blog, authored by Signal founder Moxie Marlinspike ("moxie0"), reporting that Signal's team obtained Cellebrite's UFED and Physical Analyzer software and found numerous exploitable security flaws in Cellebrite's own code — including the ability to execute arbitrary code on a Cellebrite machine via a crafted file on a scanned device, and to silently alter past and future Cellebrite extraction reports. It matters to the Arkansas surveillance investigation because Cellebrite UFED/Physical Analyzer is the mobile-device forensic extraction product line that Arkansas law-enforcement agencies acquire, and this independent teardown directly bears on the reliability and forensic integrity of the evidence those tools produce. This is a primary source: the vendor of the affected research (Signal) speaking in its own voice.* ## Source metadata - **Publisher:** Signal Messenger LLC (official Signal blog), post authored by founder Moxie Marlinspike - **URL:** https://signal.org/blog/cellebrite-vulnerabilities/ - **Archived:** 2026-06-07 via firecrawl_scrape (markdown) - **Tier:** 2 (primary/official — the researcher organization speaking in its own voice) ## Extract — verbatim (lightly cleaned) "Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called 'digital intelligence.' Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software." "Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works." ### The background "First off, anything involving Cellebrite starts with someone else physically holding your device in their hands. Cellebrite does not do any kind of data interception or remote surveillance. They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer." "UFED creates a backup of your device onto the Windows machine running UFED (it is essentially a frontend to `adb backup` on Android and iTunes backup on iPhone, with some additional parsing). Once a backup has been created, Physical Analyzer then parses the files from the backup in order to display the data in browsable form." "One way to think about Cellebrite's products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands." ### The software "Anyone familiar with software security will immediately recognize that the primary task of Cellebrite's software is to parse 'untrusted' data from a wide variety of formats as used by many different apps... This is the space in which virtually all security vulnerabilities originate." "Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present." "As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied." ### The exploits "Given the number of opportunities present, we found that it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed." "For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it's possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite's reports into question." "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices." "We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future." ### The copyright "Also of interest, the installer for Physical Analyzer contains two bundled MSI installer packages named `AppleApplicationsSupport64.msi` and `AppleMobileDeviceSupport6464.msi`. These two MSI packages are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes version 12.9.0.167." "It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users."