Signal is considered the world’s most secure mobile messaging application. It was designed for journalists and its end-to-end encryption protocol is used by other apps like WhatsApp to make sure communications are not intercepted and sources remain confidential.
That’s why many were so surprised when Cellebrite, an Israeli digital intelligence firm that sells police forces hardware that purports to open any locked phone in their possession, claimed they can crack Signal’s app.
Cellebrite, which recently announced it was going public, works with law enforcement agencies and has a long list of clients - including regimes with shady human rights records. For example, until this year, their UEFD (Universal Forensic Extraction Device) system was sold to China, who used it against pro-democracy activists in Hong Kong. Last month Cellebrite then announced it would also halt sales of its technology to Russia and Belarus.
At the end of 2020, Cellebrite posted a blog post boasting that their technology could now also extract data from Signal. The blog post was later amended and eventually retracted after Haaretz reported on it. The news caused a stir online, with Signal founder Moxie Marlinspike and even NSA whistleblower Edward Snowden denying the claim.
Cellebrite’s flagship product is the UFED, a system that allows authorities to unlock and access the data of any phone they have. It comes with another product called the Physical Analyzer, which helps organize and process data lifted from the phone. The company seemed to have claimed that the analyzer had been updated to decode information and data from Signal.
“Not only can Cellebrite not break Signal encryption, but Cellebrite never even claimed to be able to,” Marlinspike wrote at the time, calling out “clickbait” headlines. According to him, as Cellebrite only works with devices already in their possession, their announcement was tantamount to saying their program could now do what any person could do; open the app on an already unlocked phone and examine its messages.
But Moxie, as the Signal founder is also known as, did not leave it at that. It seems he had not let the matter go and on Wednesday got his revenge on the Israeli firm: In a new blog post, he claimed to have hacked into Cellebrite’s software and discovered a number of serious flaws.
- Israeli phone-hacking firm claims it can now break into encrypted Signal app
- Despite sanctions, Israeli firm Cellebrite sold phone-hacking tech to Venezuela
- Revealed: Israeli firm provided phone-hacking services to Saudi Arabia
How did Moxie lay his hands on a UEFD system, which Cellebrite claims is only sold to police forces which have been vetted? “By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite” system, he wrote.
Moxie claimed to have discovered a serious vulnerability in Cellebrite’s software. According to him, “looking at both UFED and Physical Analyzer… we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”
For example, they discovered that because Cellebrite’s software takes all the data it can from the different apps on a phone, one could easily install a program that would infect Cellebrite’s program in return. Moxie explained that once inside their software, this program could even change the data and the analyses their tech provides.
“It can make it so that someone who was found guilty can now seem to be innocent or vice versa,” explains Ran Bar-Zik, Haaretz’s cyber security expert. “This is potentially devastating for Cellebrite as it means that lawyers can possibly try to claim the evidence collected through their tech is unreliable and cannot be treated as evidence in court.”
In a clear swipe at Cellebrite, Moxie promised that the next update of the Signal app will include exactly such a program - so that any Cellebrite device attempting to lift information from a phone with Signal on it will be automatically infected and its data corrupted. This also included past data stored on the UEFD device that was taken from other phones in the past.
Nonetheless, the Signal founder offered to share his detailed findings with Cellebrite so they can fix the loophole - but he conditioned his offer on the Israeli firm sharing with Signal all the exploits they take advantage of. Such a disclosure would de facto render Cellebrite’s technology obsolete and it therefore seems very unlikely they will meet Moxie's demand.
Moxie also claimed to have discovered something else with potentially massive implications for Cellebrite: Some of the code their program uses is owned by Apple, in a possible breach of legal copyright. “It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate (their code), so this might present a legal risk for Cellebrite and its users,” Moxie wrote.
“The main takeaway from this kerfuffle,” explains Bar Zik, “is that offensive cyber companies should be careful who they pick fights with and should invest heavily in their own development as their tools can be easily used against them. There is a big difference between having good offensive capabilities and knowing how to defend against them – and even a genius hacker may not know how to do the latter.”
In response to Signal’s claims, a spokeswoman for Cellebrite told Haaretz that they “constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound.”
The company vowed to work to “make sure that lawfully obtained digital evidence is utilized to pursue justice.”