Signal drops a bomb on the phone hack tool used by law enforcement

Signal has surreptitiously declared war on smartphone data extraction tool Cellebrite, dropping heavy hints that it will update its secure messaging app in a way that could compromise any law enforcement use of the controversial analyzer. Cellebrite offers one of a number of data analysis devices – also known as phone hackers – which promise to pull out messaging logs, call and SIM records, and more from iPhone and Android handsets.

It has proved a divisive area of "digital intelligence," given both privacy laws and some of the reported clientele. Though Cellebrite pitches its "UFED" system as being intended for law enforcement agencies and enterprises, it has been accused of also supplying devices to authoritarian regimes.

Only in March 2021, in fact, the company said it was ceasing sales to the Russian Federation and Belarus, amid concerns that continuing to do so would not be in accordance with "accepted international rules and regulations." In December 2020, meanwhile, Cellebrite said it had figured out a way to add extracting Signal messaging data to its portfolio of services.

The reality, Signal says, is a lot less impressive. Matthew Rosenfeld – creator of Signal, and who goes by Moxie Marlinspike or "moxie0" – managed to somehow acquire a Cellebrite UFED, and promptly set about dissecting its own software. Turns out, not only are the original "Signal cracking" concerns from late last year unfounded, the tool actually has some serious flaws of its own.

For UFED's ability to read Signal logs, that requires the device to be unlocked and physically accessible by whoever has the Cellebrite device, Rosenfeld explains:

"One way to think about Cellebrite's products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands." Matthew Rosenfeld, Signal

Meanwhile, by virtue of using some very old, very out-of-date DLLs – missing more than a hundred security patches – it seems Cellebrite's software is itself vulnerable to a number of hacks. By "including a specially formatted but otherwise innocuous file in any app on a device" Rosenfeld found, when scanned by Cellebrite it could run code that modifies the current UFED report, and all previous and future reports, including potentially inserting or removing text, email, photos, contacts, files, or other data, with no record of that tampering.

"This could even be done at random," Rosenfeld suggests, "and would seriously call the data integrity of Cellebrite's reports into question."

The software also includes Apple DLLs which would, officially, require permission from the Cupertino firm to redistribute. It's unclear whether Cellebrite actually sought, and was granted, that permission.

As for the outcome of all this digging, Rosenfeld drops some very heavy hints that Signal will be randomly implementing the files he describes as potentially compromising Cellebrite UFED data. "In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage," he concludes.