Highlights:
- Israeli digital intelligence firm Cellebrite sells software designed to unlock phones and extract their data.
- Moxie Marlinspike claimed that Cellebrite’s software has atrocious security.
- Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence.
- Cellebrite sells software designed to unlock phones and extract their data.
Introduction:
Signal is a cross-platform messaging service with centralization encryption. Signal Technology and Signal Messenger LLC is the developer of the platform. It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos. You can also use it to make one-to-one and group voice and video calls, and the Android version can optionally function as an SMS app.
Signal uses standard cellular telephone numbers as identifiers and secures all communications to other Signal users with end-to-end encryption. The apps include mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel.[18][19]
Signal’s CEO Just Hacked the Cops’ Favorite Phone Cracking Tool.
Israeli digital intelligence firm Cellebrite sells software designed to unlock phones and extract their data. As a result, its products are a favorite of law enforcement agencies across the U.S., and police frequently use them to gather evidence from seized devices. In the past, the company has received criticism for its willingness to sell to pretty much any government—including repressive regimes around the world. However, despite its mission to compromise phone security everywhere, Cellebrite would appear to have little interest in securing its own software—if you believe the CEO of encrypted chat app Signal.
In a blog post published Wednesday, Moxie Marlinspike claimed that Cellebrite’s software has atrocious security that can be easily manipulated in a number of pretty astounding ways.
“We were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present,” Marlinspike writes. “Until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.”
Marlinspike has very publicly outed these security concern
On top of everything, the blog makes another pretty bold claim. It says that code that apparently is the intellectual property of Apple appears within Cellebrite’s software. This is something Marlinspike says “might present a legal risk for Cellebrite and its users.” In other words, Cellebrite might be selling code that belongs to its biggest adversary.
If all of these disclosures are true, it could have pretty massive ramifications for Cellebrite. We can assume it’s really this easy for someone to break into the company’s software. He can drastically alter the data that police are collecting. But how certain can law enforcement be that the evidence they are collecting is actually correct? What would the legal ramifications be for the cases that have hinged on Cellebrite’s software? That too if its security is really paltry. Anyone who has an involvement in a case that uses this software, should probably be calling their lawyer right now.
