Israeli phone-hacking firm Cellebrite can now break into Signal, an encrypted app considered safe from external snooping, it claimed in a blog post on Thursday. Meanwhile, a U.S. report revealed Friday that American school districts have also bought the firm’s technology.
Cellebrite’s phone-hacking technology is intended for law enforcement agencies and is sold across the world. However, critics have long slammed the company for selling its wares to states with poor human rights records, from Indonesia and Venezuela to Belarus and Saudi Arabia.
How COVID – and Israel’s Trump-brokered lovefest with Arab states – are affecting Palestinians
Following recent reports in Haaretz that the company’s technology was being used by Chinese officials to spy on pro-democracy activists in Hong Kong, Cellebrite announced it would no longer provide services to China or police forces in the Chinese administrative region.
Cellebrite’s flagship product is the UFED (Universal Forensic Extraction Device), a system that allows authorities to unlock and access the data of any phone in their possession. Another product it offers is the Physical Analyzer, which helps organize and process data lifted from the phone.
Last Thursday, the company announced that the analyzer has now been updated with a new capability, developed by the firm, that allows clients to decode information and data from Signal.
Signal, owned by the Signal Technology Foundation, uses a special open source encryption system called Signal Protocol, which was thought to make it nigh-on impossible for a third party to break into a conversation or access data being shared on the platform. It does so by employing what’s called “end-to-end encryption.”
>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an encrypted email
- Israeli cyber unit veterans help Facebook destroy competition
- Revealed: Israel's cyber-spy industry helps world dictators hunt dissidents and gays
- Hacking Grindr? Israel’s Cellebrite sold phone-hacking tech to Indonesia
- Despite sanctions, Israeli firm Cellebrite sold phone-hacking tech to Venezuela
- Revealed: Israeli firm provided phone-hacking services to Saudi Arabia
The protocol has been adopted by the likes of Facebook, Skype and WhatsApp to protect its users, with Signal receiving funding for its product from free speech organizations and journalism watchdogs. The Freedom of the Press Foundation provided initial funding for the app’s development. After launching in 2018, the Signal Foundation’s mission statement was “to support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous.”
While the likes of Facebook and WhatsApp use Signal's encryption system, the Signal messaging app provides the same safety for the actual files being sent over its platform, not just the messages. This makes it an especially important tool for journalists.
According to online data, Signal was downloaded about a million times in May, with Reuters reporting that downloads for the app in China and the United States skyrocketed during the coronavirus pandemic.
According to Cellebrite’s announcement last week, “Law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities like image blurring to stop police from reviewing data.
“Criminals are using this application to communicate, send attachments, and making [sic] illegal deals that they want to keep discrete [sic] and out of sight from law enforcement,” the blog post added.
Despite support for the app’s encryption capabilities, Cellebrite noted that “Signal is an encrypted communication application designed to keep sent messages and attachments as safe as possible from 3rd-party programs.
“Cellebrite Physical Analyzer now allows lawful access to Signal app data. At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives.”
In an earlier, now deleted, version of the blog post, the company went as far as to say: “Decrypting Signal messages and attachments was not an easy task. It required extensive research on many different fronts to create new capabilities from scratch. At Cellebrite, however, finding new ways to help those who make our world a safer place is what we’re dedicated to doing every day.”
The initial post, which was stored on the Internet Archive, also included a detailed explanation of how Cellebrite “cracked the code”: by reviewing Signal’s own open source protocol and using it against it. The company noted in the deleted blog post that “because [Signal] encrypts virtually all its metadata to protect its users, efforts have been put forward by legal authorities to require developers of encrypted software to enable a ‘backdoor’ that makes it possible for them to access people’s data. Until such agreements are reached, Cellebrite continues to work diligently with law enforcement to enable agencies to decrypt and decode data from the Signal app.”
Meanwhile, a report on Gizmodo last Friday revealed that at least eight school districts in the United States – including Los Angeles, which covers over 60,000 students, as well as seven other districts in Texas – were buying “mobile forensic” tools from Cellebrite.
According to data published in America, over 2,000 U.S. police forces use these tools. However, the Gizmodo report is the first time it’s been shown to be used in educational facilities – for instance, to help find child predators.
Israeli human rights lawyer Eitay Mack has been waging war against Cellebrite recently, attempting to force the state to place the firm’s tech under the same regulations as those used for arms sales.
Mack and other activists believe that, for example, sales to Indonesia stress the need for effective oversight of the export of “dual purpose” technologies such as Cellebrite’s. “Dual purpose” technology refers to tech that can be used for both military and commercial purposes.
Cellebrite is not currently subject to independent oversight. It conducts its own examinations and maintains its own blacklist of countries that it is “forbidden” to sell technology to, sources with knowledge of the company told Haaretz’s Oded Yaron.
Responding to previous reports, Cellebrite said it develops technology that “assists law enforcement agencies to collect digital evidence and expedite complex investigations in accordance with the law.”
It continued: “Our technology serves 154 countries and has made convictions possible in more than 5 million cases of serious crime, such as murder, rape, human trafficking and pedophilia. We do not provide information about our clients and their activities. We provide our solutions to authorized agencies only, and apply a range of tools dictating the manner in which they can be used. In addition, we work subject to clear policy and accepted international rules to prevent a business relationship with agencies subject to international restrictions.”
Regarding the question as to why the initial post was deleted, Cellebrite said this: "The original blog post on the company website was replaced because it was an internal draft."
Reuters and Oded Yaron contributed background to this report.