By: Dr Tristan Jenkinson and Alex Harrison
Together with many other people in our industry, we have both spoken anecdotally about the arms race between the creators of new technology, and the development of processes that allow the data from that technology to be analysed. As new user devices, software and applications are developed, the digital forensics community play catchup to develop the tools needed to extract, interpret and analyse the data they hold.
This race is perhaps most apparent in the world of mobile forensics, where a stream of new devices, applications, and updates provide a constant challenge for forensic vendors.
Over the past few months one such battle, between the creators of the popular chat app Signal and Cellebrite, has become increasingly bitter, and very public.
On 10 December 2020, Cellebrite released a blog article under the headline “Cellebrite’s New Solution for Decrypting the Signal App”. The article started:
“Gang members, drug dealers, and even protestors have been quick to adopt ways to screen their communications”
Continuing to state:
“Decrypting messages and attachments sent with Signal has been all but impossible…until now.”
The article goes on to talk about the methods used by Cellebrite to gain access to data stored by Signal, including analysis of Signal’s code (which is open source and so available to anyone).
One thing that the article did not do was explain that in order to decrypt the messages and attachments (which had been “all but impossible” previously), the system required the phone to be accessible and unlocked… which means that law enforcement, or whoever had access to the phone, could equally have just opened the Signal app and read everything as the user would have done.
The block post was taken down by Cellebrite. An updated version of the post, now under the headline “Helping Law Enforcement Lawfully Access The Signal App” was posted in its place.
The (new) article was raised on Twitter with Moxie Marlinspike (the CEO of Signal), who tweeted:
“This (was!) an article about “advanced techniques” Cellebrite uses to decode a Signal message db… on an *unlocked* Android device! They could have also just opened the app to look at the messages. The whole article read like amateur hour, which is I assume why they removed it.”
What Did “Cellebrite’s New Solution” Do?
There is a potentially fundamental weakness in any end-to-end encryption solution. If someone has access to one of those “ends” (e.g. the mobile device itself) and knows (or is able to bypass) the device’s security lock then they can gain access to the databases in which applications store data.
Those databases may still be encrypted – as is the case with Signal. However, the device needs to be able to decrypt that data to display it to the user, so there must be a methodology to decrypt the data in those applications using information on (or accessible to) the device itself.
Cellebrite identified how to decrypt the Signal chat databases and render the data in its unencrypted form, much as has been generally possible with the likes of WhatsApp, Telegram, Facebook Messenger and countless other applications for a number of years. As was highlighted by Moxie Marlinspike, the decryption still required the phone to be unlocked and there was no interception of messages sent or received.
Having access to an unlocked device is a common requirement for the extraction of data from mobile devices. There are exceptions – for example exploits exist for specific mobile phone chip sets which can be used to gain access to the data without the device password.
“No, Cellebrite cannot decrypt Signal communications. What they sell is a forensic device cops connect to insecure, unlockable phones to download a bunch of popular apps’ data more easily than doing it manually. They just added Signal to that app list. That’s it. There’s no magic.”
The Haaretz Story
On 14 December 2020, Haaretz ran a story titled “Israeli Phone-hacking Firm Claims It Can Now Break Into Encrypted Signal App”. The article stated:
“Israeli phone-hacking firm Cellebrite can now break into Signal, an encrypted app considered safe from external snooping, it claimed in a blog post on Thursday.”
As explained above, this is not entirely accurate.
The article also quoted Cellebrite as stating “The original blog post on the company website was replaced because it was an internal draft”. Omer Benjakob, who also writes for Haaretz and mentioned this on Twitter in conversation with Moxie Marlinspike.
The BBC Story (and Signal Riposte)
On 22 December 2020, the BBC (having picked up on either the Cellebrite post, or possibly the Haaretz story) released a story with the headline “Signal: Cellebrite claimed to have cracked chat app’s encryption”
The BBC article stated that:
“Cellebrite has claimed that it can decrypt messages from Signal’s highly secure chat and voice-call app, boasting that it could disrupt communications from “gang members, drug dealers and even protesters””
Signal, somewhat unimpressed by the BBC’s reporting, posted a counter-article on their own blog site the following day (23 December 2020), refuting the claims made and explaining how, and in what circumstances, Cellebrite could access the Signal chat data.
The Haaretz Update
Following the Signal riposte, Haaretz released a new article titled “No, Signal – the World’s Most Encrypted App – Was Not Hacked by Israeli Firm Cellebrite”.
The article includes an interview with an unnamed Israeli cryptographer, who they quote as saying:
“If they actually managed to break the end-to-end encryption, it would be the end of cryptography as a field as we know it. And that is not the case.”
Signal Attack Cellebrite with Exploit Demonstration
After the initial skirmishes above, the spat between Signal and Cellebrite went quiet.
That is, until, last week, when Signal posted a follow up article. Signal had managed to obtain a Cellebrite kit, including the software and required licenses, apparently in order to see how it worked and what it was capable of.
What resulted, however, was an attack on Cellebrite’s software that focused on a number of security vulnerabilities.
To provide some additional context, Cellebrite’s tools, such as Physical Analyser, are used by law enforcement agencies, regulators, and in-house cyber security teams at countless corporations, often in highly secured and controlled environments. The data on these systems may be extremely sensitive. Data being acquired by Cellebrite (and other similar tools) from custodian devices (often suspected or known criminals) is typically unknown to the operator and therefore should not be trusted as a matter of course.
What Signal discovered is that Cellebrite performs no sandboxing – the isolation of data to segregate it from the main computer system – during the data acquisition and analysis phases. This means that it would be theoretically possible for malicious code to be hidden in an application on a mobile device, which could then be executed on the host system when Cellebrite accessed it.
Signal went further than this, taking a hypothetical suggestion of what might be possible, and creating a working demonstration of how this could be done – including a video demonstrating the exploit being run in real time.
Cellebrite Remove Functionality
As a result of Signal’s research, Cellebrite appear to have been forced to release an update this week (W/C April 26th).
It appears that Cellebrite were not able to patch the issues identified quickly, so instead have disabled the ability to perform acquisitions from iOS devices (such as iPhones) using their Physical Analyzer solution to prevent usage of the exploits raised by the Signal team. A copy of the release notes from Cellebrite is below:
The release note didn’t reference the dispute with Signal directly but, given the close proximity to the Signal blog post release, it seems likely that this is the reasoning behind it.
It is important to note that iOS devices can still be acquired using their UFED solution – a standalone physical tablet device that runs Cellebrite’s acquisition software – but even so it seems likely that this will cause issues for Cellebrite customers who often work in fast-paced investigations.
Reverting back to our arms race analogy from the top of this article, it would probably fair to say that Signal have won this particular battle.
In the longer term the incident is likely to result in Cellebrite creating a better and more secure product. The experience may also make them more careful about what information and capabilities they publicise. This increased caution, from a company that already operates with a great deal of secrecy, means that they may be more likely to hold on to some of their secrets, shielding them from view of the public.
It is also worth considering what else (if anything) the team at Signal found that they didn’t publish in their blog.
Another area of consideration is the impact in the legal world. While there is no evidence (yet) of such an exploit being used in the wild, in Signal’s words:
“… by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.”
Given the possibilities above, it seems that there may be questions asked about the reliability of data extracted using Cellebrite systems.
This appears to have already started, with Motherboard reporting that a judge has been requested to grant a new trial to a defendant in a case involving evidence obtained using Cellebrite.