with Aaron Schaffer

Phone-cracking products from Cellebrite, an Israeli surveillance firm favored by U.S. law enforcement and repressive regimes abroad, have vulnerabilities that could be exploited to tamper with data, according to a new report from the encrypted-messaging app Signal.

The volley, which comes about five months after Cellebrite announced it would add capabilities to read files from Signal's messaging app, ratchets up the battle between encrypted services and the tools being sold to undermine them. Evidence from encrypted services is often sought by police in criminal cases, including from alleged perpetrators of the Jan. 6 Capitol riot.

Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present, a blog by company founder Moxie Marlinspike notes.

Phone cracking technologies like Cellebrite have grown in popularity as tech companies and law enforcement continue to spar over encryption. Law enforcement officials argue they should have special access into the technology to read the messages of suspected criminals. Tech companies and cybersecurity experts say there is no way of providing a backdoor for police that criminals couldn't also exploit.

A report from nonprofit Upturn found more than 2,000 law enforcement agencies across all 50 states have purchased tools including Cellebrite to extract data from phones. Cellebrite has also sold the technology to repressive regimes in Turkey, United Arab Emirates and Russia among others.

Most recently, the FBI used Cellebrite to gather thousands of pages of data from the phone of just one suspect in the Capitol riot, The Washington Post reported

If data collected by Cellebrite's tools could be tampered with, as Signal claims, it could create doubt in the courtroom if presented as evidence.

That now sows a little bit of doubt about the veracity of the stuff that they're working with and what they're producing for all their clients,” says Paul Rosenzweig, resident senior fellow, cybersecurity and emerging threats at the R Street Foundation and a former homeland security official It doesn't mean anything for an authoritarian regime but for an American system it might be a grounds for questioning the data from Cellebrite if I was a defense attorney for someone from the Capitol riots."

Signal says it will share the specific vulnerabilities with Cellebrite – but only if the company will agree to do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.” 

Given that Cellebrite's business model relies on vulnerabilities, that's highly unlikely. Cellebrite creates a backup of phone files, allowing them to parse the files in a browsable form. Essentially, the tool automates the process of manually going through an unlocked phone and documenting all its contents. The tool can unlock a phone but it does not break encryption used by companies such as Signal. Instead, it views the message on the user end. But it still needs to exploit vulnerabilities to get into the phone and retrieve those files.

Cellebrite declined to answer questions about Signal’s claims.

Experts say the vulnerabilities point to very real concerns over the security of technology that law enforcement is increasingly relying on to prosecute criminals.

Criminal justice advocates and privacy researchers have pushed for technical reviews of the technologies used by police, such as predictive policing algorithms and facial recognition. The doubts raised by Signal's research could put phone surveillance tools on watch next.

“It certainly is an escalation in the battle to protect user privacy,” says Riana Pfefferkorn, a researcher scholar at the Stanford Internet Observatory. “They made a very important point here which is any technology that is ultimately used by a court of law to put someone behind bars and take away their freedom should have at least adequate security guarantees.”

Signal may — or may not — plan on exploiting the vulnerabilities.

The Signal blog post outlines a hypothetical scenario in which a hacker could create a file that, once scanned by Cellebrite, would modify any previous and future reports from the device. For instance, hackers could scrub or add texts and photos.

Here's a demonstration from Signal of how a hacker might create an exploit for Cellebrite's product.

Following the hypothetical scenario, Signal announced in completely unrelated news it would start placing files in random phones that have had the app installed for some time already. 

We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time, Marlinspike writes. There is no other significance to these files.

Signal wouldn't confirm or deny the files are designed to exploit Cellebrite.

Update: This file has been updated with Cellebrite's response.

Chat room

The Record’s Catalin Cimpanu described Signal’s explanation for how it got the Cellebrite technology as the “troll of the year”:

Matthew D. Green, an associate professor at the Johns Hopkins Information Security Institute:

Silverado Policy Accelerator executive chairman Dmitri Alperovitch:

Independent journalist Marcy Wheeler:

The keys

Facebook said it discovered Palestinian hackers on its platform.

Nearly 800 people were targeted in the cyberattacks, the Associated Press’s Josef Federman reports. However, the social media network could not say how many people downloaded malicious software allowing the hackers, who Facebook said were linked to Palestine’s PSS intelligence agency, to access their phones.

The group’s hacks, which ramped up in the past six months, coincide with the run-up to the first Palestinian elections in 15 years. Facebook said it also detected another hacking group, Arid Viper, which targeted people in the region, including government officials.

“We respect the media, we work within the law that governs our work, and we work according to law and order,” Ikrimah Thabet, a PSS spokesman, told Reuters, denying the accusations. “We respect freedoms, privacy and confidentiality of information.”

A bipartisan group of lawmakers introduced a bill to rein in the government’s dealings with data brokers.

The legislation would ban U.S. law enforcement agencies and the government from buying personal data without a warrant, Drew Harwell reports. It was introduced by Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) amid scrutiny of the personal data brokers' practices.

Federal agencies bought location data for immigration and border enforcement, the Wall Street Journal reported. Despite claims that the data has been anonymized, commercial databases reveal the movements of Americans in detail, according to the New York Times.

“Doing business online doesn’t amount to giving the government permission to track your every movement or rifle through the most personal details of your life,” Wyden said in a statement, adding that the bill “ensures that the government can’t use its credit card to end-run the Fourth Amendment” rights against unreasonable searches.

The Justice Department launched a task force to battle hacks-for-ransom.

Acting deputy attorney general John Carlin wrote in an internal memo this week that ransomware “jeopardizes the safety and health of Americans,” the Wall Street Journal’s Dustin Volz reports.

The memo calls for the government to develop a strategy that targets the broader ransomware ecosystem, including reining in the forums and hosting services that publicize and enable the hacks. The government task force will include the Justice Department, the FBI and an office that supports federal prosecutors.

Government scan

Hill happenings

A bipartisan bill to boost cutting-edge tech research got backing from the White House.

The bipartisan bill, which lawmakers have touted as a way to counter China's technological advances, would expand the National Science Foundation and give a new Technology Directorate within the foundation $100 billion for research on advanced technology like artificial intelligence and robotics.

White House press secretary Jen Psaki said in a statement that the Endless Frontier Act, which proposes $10 billion for regional technology hubs, is “one more encouraging sign of the bipartisan support for investing in America’s competitiveness.”

Industry report

Researchers say hackers are using Telegram to launch cyberattacks.

Check Point Research says it detected more than 130 cyberattacks over the last three months that used malware spread using the popular messaging app. Telegram, which researchers say has been used by hackers for years, did not respond to a request for comment.

Cyber insecurity

Mentions

  • Former senator Saxby Chambliss, a Republican who represented Georgia, has registered to lobby for SolarWinds via DLA Piper, LegiStorm’s Keturah Hetrick reports.

Daybook

  • Former undersecretary of state Keith Krach and retired four-star Gen. Stanley McChrystal discuss how the United States and its allies can create a global cyber-trust network at a Washington Post Live event today at 11 a.m.
  • Former acting Defense Intelligence Agency director David Shedd and former Undersecretary of Defense for Intelligence Steve Cambone speak at a Heritage Foundation event on the intelligence community on Friday at noon.

Secure log off