Analysis |

In Fighting Cellebrite, Signal May Have Gone Too Far

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Logos of WhatsApp and Signal mobile messaging services.
Logos of WhatsApp and Signal mobile messaging services.Credit: LIONEL BONAVENTURE / AFP

Three weeks ago, many were excited following a post by Moxie Marlinspike, founder of the secure messaging app ‘Signal’ – hammering away at the Israeli mobile data extraction firm Cellebrite. 

Marlinspike, a noted cryptographer and hacker, published the results of an analysis he conducted of Cellebrite’s flagship UFED device, which he said “fell off a truck.”

In his post Marlinspike concluded that the device, which is used by law enforcement and security agencies for forensic examinations of cellphones, suffers from many serious security flaws. If exploited, Marlinspike noted, malware can be preinstalled on a given cellphone and it would not only disrupt any current examination by the device, but also damage prior examinations already stored on Cellebrite’s hardware.

A USB device is attached to Cellebrite's UFED TOUCH, a device to extract data from a mobile device. Signal's founder revealed he cracked Cellebrite's software and that it is exposed to manipulationCredit: Issei Kato/ REUTERS

Marlinspike ended his post with an unsubtle hint that Signal is already working on encrypting such files (for “aesthetic” purposes) and adding them to its next software updates.

Marlinspike’s justifies his attack on Cellebrite on criticism that the Israeli firm sells its products to oppressive regimes and its software has been used to commit widespread violations of human rights. He writes that Cellebrite has sold its products to Russia, Venezuela, Belarus and China, among others, and it still sells to countries like Turkey and Bangladesh.

Marlinspike is supposedly acting in accordance with Signa’s principals and value. Signal, with its encrypted protocol, was intended to protect people’s privacy and freedom of expression - both  indisputably worthy goals. Signal provides power to the poor and weak, acting as Robin Hood of sorts, protecting them against the suffocating power of oppressive regimes interested in robbing the masses of their privacy and penetrating their electronic devices.

Marlinspike’s post may seem like a noble act, but in my opinion, this is not the case. A more sober view of Marlinspike’s justifications – especially given Signal’s goals of promoting freedom of expression and creating secure communications – makes his latest move seem particularly troubling.

First, as Signal’s representative, Marlinspike’s moral superiority is uncalled for. Cellebrite’s software isn’t inherently malicious nor illegal. Cellebrite’s software provides cellphone copying and examination capabilities – and not unlike Signal, it is the context in which it’s used that determines its legitimacy. 

It’s a sad truth that some Cellebrite products wind up in the hands of bad regimes. In that aspect Cellebrite’s officials need to take a hard look at their sales practices. But if the end users are a test for the legitimacy of the software - then Signal has no moral high ground to claim.

Numerous pedophiles send self-erasing messages using Signal to cover their tracks. Drug dealers and even terrorist organizations consider Signal as their go-to app. So where does this exaggerated feeling of superiority to Cellebrite come from? given that Signal itself often serves as a tool to evade the law in the hands of criminals who harm innocents and acquire their money by oppressing society’s weakest members?

Moreover, criticism of Cellebrite’s sales to Turkey, for example, are excessive. Could Cellebrite decide not to sell its products to a NATO member? And perhaps the company should also refuse to sell to Spain, due to its efforts to prevent Basque and Catalan independence? What standard does Cellebrite have to meet to earn Marlinspike’s seal of approval?

And let’s take this a step further. If we are taking proactive malware steps – we should consider any company with problematic practices as a potential target. Perhaps we should also install files that will disrupt Facebook’s operations, since that company sometimes facilitates the dissemination of libel and racist incitement? And YouTube belongs to an industry that revolves entirely around selling impossible body images, thereby encouraging eating disorders. Should it, too, be a candidate for Marlinspike’s attacks?

Second, and perhaps even worse, is the disproportionality between Marlinspike’s criticisms and the actions he is taking in response. If he thinks Cellebrite should stay away from Signal, he’s certainly free to encrypt his own products. He’s also welcomed to make his views clear to Cellebrite. But to transfer open-source files that could undermine Cellebrite’s entire field of operations – operations that even law-abiding countries use to fight crime – is wildly excessive.

This behavior is also morally unacceptable. The files Marlinspike seeks to disseminate are a kind of machete whose main purpose is to impede the proper functioning of other software. This isn’t a method of defense, but an offensive weapon whose goal is to hurt someone else. 

Could a manufacturer of opium pipes claim that he’s merely allowing people to exercise their autonomy over their own bodies? This is pure lip service.

Moreover, Marlinspike knows that Cellebrite’s software is often used to carry out court orders in democratic countries. If his malware is effective - has he taken into consideration the effect on the victims? Who is Marlinspike punishing? Residents of democratic countries who need effective law enforcement tools. They are the ones who will suffer.

In short – this is total overkill. Marlinspike’s methods and disproportionality leave me with the feeling that this isn’t a freedom of speech issue, but an attempt to intimidate anyone who may try to tamper with Signal – with the end goal of disseminating it worry-free. That’s more like extortion than anything else.

Gadi Perl is an attorney and PhD Candidate at the Hebrew University Law Faculty. He is a research fellow at the Federmann Cyber Security Research Center Cyber Law Program and heads the Forensic IT office at the Israeli Competition Authority. This article represents his personal opinion and does not represent the authority in any way.

Click the alert icon to follow topics: