A rather evil and nasty company called “Cellebrite” exists. They sell products that allow people with minimal technical skills to bypass the physical security of smartphones and tablets, extract the information held in them, and analyze that information. This requires the users of their systems to have physical access to the smartphone or tablet – it must rest in their grubby little hands. Cellebrite’s systems do not facilitate remote attacks, so far as we know.
By people with “minimal technical skills,” I’m referring to the minions of law enforcement, military, intelligence agencies, multinational corporations, drug lords, terrorists, arms dealers, tinpot dictators, tyrannical monarchies, human traffickers, private investigators, well-off stalkers, and basically anyone willing to pony up a decently-sized pile of cash. Officially these things are only available to carefully-approved organizations, but it’s well-understood that this promise is a complete farce. Or perhaps they just define “carefully-approved” as anyone willing to carefully-approve and carefully-pay an invoice. The world may never know.
Cellebrite recently announced that their product can decode and analyze information from the Signal app, when their product is used to extract it from a mobile device. This is not surprising as there are a limited number of options for preventing this, most of which end-users would find to be inconvenient. Every other messaging platform that I’m aware of shares this vulnerability.
As we say in the security field: “Boot access is root access.” This means that if you can get your hands on a device and are able to reboot it then you can, with the right set of tools and / or skills, probably do anything you want to it. Some companies make devices hardened against this, but you pay a very pretty penny for them and they involve trade-offs that you would not exactly call “user friendly” (they tend to err on the side of irrecoverably destroying your data).
In any case, what’s more interesting is Signal’s response to this announcement. It’s worth a glance before continuing here:
They could have whined and complained, screamed and shouted, or done a million other useless and petulant things. They took a different approach.
They promptly and accidentally got their hands on a Cellebrite device. Now remember, according to Cellebrite this is impossible – they pinky-promise that only carefully-approved people working for carefully-approved organizations can acquire them. Certainly not accidentally. So this little falsehood is rather swiftly demolished.
They then performed a detailed security analysis on the Cellebrite device, and found that security for the device itself is a complete and total farce. A reasonably-skilled child could tamper with it in a million different nasty little ways. They also found that Cellebrite is apparently being a bit naughty and seems to be illegally distributing copyrighted libraries owned by Apple. We’ll see if Apple decides to do anything about it. Apple is notoriously litigious about things like this, sometimes willing to spend vast sums of money just to make a point.
The last bit of Signal’s response seems to puzzle many people, so I’ll do my best to explain it. They said:
“In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.”
To be blunt: Signal appears to be saying that they will randomly seed their customers’ data with files that just might contain logic bombs that just might detonate when scanned by a Cellebrite device, in a manner invisible to users and next to impossible to detect by Cellebrite. These logic bombs just might do virtually anything – destroy the Cellebrite device, tamper with the current, past, or future logging and analysis, or whatever else they decide just might be amusing. The possibilities just might be endless. But what is truly diabolical is that anyone who uses the Signal software can plausibly claim that evidence retrieved through the analysis of their data with a Cellebrite system just might be tainted. Whoopsie.
Signal is being a bit vague, because they can’t admit that they just might have done or that they just might do anything that just might be illegal. They did, however, walk straight up to that line, stuck their toes exactly on the edge, and gave Cellebrite the finger.
The moral of the story is this: Do not pick fights you can’t win. Do not hack the work of hackers, regardless of whether they are of the white-hat or the black-hat variety. If you do hack the hackers, definitely do not rub their noses in it because they just might hack you right back.
And you have to admire @moixe’s moxie.