From my understanding, police could scan phone A, if phone A had the malicious code then the scanner is infected, now when scanning phone B the results are invalid, it could always show a "All OK" message or it could plant evidence. There was a news on the first page a few days ago where many postal workers were put in jail because of a software bug - so we know for sure if a computer says X the "experts" will confirm it.
The first thing this Celerbrite dudes need to do is to guarantee that the device gets a full reset before each use.
We as society we need to force our police and government to use only open source software, otherwise we don't know what backdoors or shit this guys put in, we could evaluate the code and see if we are wrongfully convicted by a shitty algorithm and transparency would also prevent (hopefully) people selling some open source software with a logo and a python script for milions.
> if phone A had the malicious code then the scanner is infected, now when scanning phone B the results are invalid
I think it was more insidious. Police scans phone A and stores a log. Police scan phone B with said code on it, which infects the scanner. This code not only tampers with the logs for phone B, but goes back and tampers with the logs for phone A. There is thus no log that one can definitively say represents the true state of any scanned phone at the time it was scanned.
The first thing this Celerbrite dudes need to do is to guarantee that the device gets a full reset before each use.
We as society we need to force our police and government to use only open source software, otherwise we don't know what backdoors or shit this guys put in, we could evaluate the code and see if we are wrongfully convicted by a shitty algorithm and transparency would also prevent (hopefully) people selling some open source software with a logo and a python script for milions.