Israeli Spy Tech Firm Says It Can Break Into Signal App (haaretz.com) 87
Last Thursday, Israeli phone-hacking firm Cellebrite said in a blog post that it can now break into Signal, an encrypted app considered safe from external snooping. Haaretz reports: Cellebrite's flagship product is the UFED (Universal Forensic Extraction Device), a system that allows authorities to unlock and access the data of any phone in their possession. Another product it offers is the Physical Analyzer, which helps organize and process data lifted from the phone. Last Thursday, the company announced that the analyzer has now been updated with a new capability, developed by the firm, that allows clients to decode information and data from Signal. Signal, owned by the Signal Technology Foundation, uses a special open source encryption system called Signal Protocol, which was thought to make it nigh-on impossible for a third party to break into a conversation or access data being shared on the platform. It does so by employing what's called "end-to-end encryption."
According to Cellebrite's announcement last week, "Law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities like image blurring to stop police from reviewing data. "Criminals are using this application to communicate, send attachments, and making [sic] illegal deals that they want to keep discrete [sic] and out of sight from law enforcement," the blog post added. Despite support for the app's encryption capabilities, Cellebrite noted that "Signal is an encrypted communication application designed to keep sent messages and attachments as safe as possible from 3rd-party programs.
"Cellebrite Physical Analyzer now allows lawful access to Signal app data. At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives." In an earlier, now deleted, version of the blog post, the company went as far as to say: "Decrypting Signal messages and attachments was not an easy task. It required extensive research on many different fronts to create new capabilities from scratch. At Cellebrite, however, finding new ways to help those who make our world a safer place is what we're dedicated to doing every day." The initial post, which was stored on the Internet Archive, also included a detailed explanation of how Cellebrite "cracked the code" by reviewing Signal's own open source protocol and using it against it. The company noted in the deleted blog post that "because [Signal] encrypts virtually all its metadata to protect its users, efforts have been put forward by legal authorities to require developers of encrypted software to enable a 'backdoor' that makes it possible for them to access people's data. Until such agreements are reached, Cellebrite continues to work diligently with law enforcement to enable agencies to decrypt and decode data from the Signal app."
According to Cellebrite's announcement last week, "Law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities like image blurring to stop police from reviewing data. "Criminals are using this application to communicate, send attachments, and making [sic] illegal deals that they want to keep discrete [sic] and out of sight from law enforcement," the blog post added. Despite support for the app's encryption capabilities, Cellebrite noted that "Signal is an encrypted communication application designed to keep sent messages and attachments as safe as possible from 3rd-party programs.
"Cellebrite Physical Analyzer now allows lawful access to Signal app data. At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives." In an earlier, now deleted, version of the blog post, the company went as far as to say: "Decrypting Signal messages and attachments was not an easy task. It required extensive research on many different fronts to create new capabilities from scratch. At Cellebrite, however, finding new ways to help those who make our world a safer place is what we're dedicated to doing every day." The initial post, which was stored on the Internet Archive, also included a detailed explanation of how Cellebrite "cracked the code" by reviewing Signal's own open source protocol and using it against it. The company noted in the deleted blog post that "because [Signal] encrypts virtually all its metadata to protect its users, efforts have been put forward by legal authorities to require developers of encrypted software to enable a 'backdoor' that makes it possible for them to access people's data. Until such agreements are reached, Cellebrite continues to work diligently with law enforcement to enable agencies to decrypt and decode data from the Signal app."
Prove it (Score:5, Insightful)
Cellebrite is the real deal (Score:5, Insightful)
This isn't some random nobody making a claim. Cellebrite is the world leader is mobile device forensics. Their product is the best there is.
If Cellebrite announces a new feature in their product, it's because their product has a new feature.
Re: Cellebrite is the real deal (Score:2, Troll)
Then prove it.
Your comment can be made about anything. Just substitute the name. You have zero credibility. Actually, not showing proof even on direct request lowered you into negative space. So even if you were the Mossad spin-off itself, this would be an argument *against* their credibility.
Re: Cellebrite is the real deal (Score:5, Insightful)
They will prove it. . .to all their paying customers. That's the whole point of them releasing this story, it's to advertise their services. They're not boasting for the sake of boasting, they're advertising a service. They wouldn't advertise the service if they couldn't deliver. That's how you piss off customers and ruin your good* name.
*"Good," in this case, meaning good at what they do. I do not consider those who profit from expanding the surveillance state to be morally good.
Re: (Score:2)
It is time for a software update to Signal.
Re: (Score:3)
Will they? Most people are quite careless about their data, using the same passwords in many locations and deliberately leaving back doors for their convenience. As XKCD pointed out, sometimes it's much faster to buy a $5 wrench and threaten someone with it than to crack robust encryption.
https://xkcd.com/538/ [xkcd.com]
Looking quickly on Ebay, $5 can buy a surprisingly large wrench.
Re: (Score:2)
Now you just need to develop a technique where you use that $5 wrench to intimidate somebody, without them knowing you did it.
Re: (Score:2)
That is what a minion is for. Or plausible deniability. Or Guantanamo Bay.
They had root. (Score:5, Informative)
I literally did what they did, a month ago when I had to get my Signal data from a broken phone.
As long as Signal has to unlock the keys to use them for encryption/decryption, obviously the OS and hardware have full access.
This is why a secured messenger on a consumer device always was kind of a joke, evem with "secure enclaves".
</thread> (Score:2)
Whoops, Slashdot swallowed the HTML tag (</thread>) in the subject line. This way, replying to myself makes no sense. :-/
Let's see if it works now.
Re:They had root. (Score:4, Insightful)
I literally did what they did, a month ago when I had to get my Signal data from a broken phone.
As long as Signal has to unlock the keys to use them for encryption/decryption, obviously the OS and hardware have full access.
This is why a secured messenger on a consumer device always was kind of a joke, evem with "secure enclaves".
Whether or not Signal is a joke depends entirely on your behaviour and what you expect from it. For the average person Signal is probably enough to encrypt their comms since the average person is neither engaged in hard core crime, terrorism or high treason. The most they are expecting is that their wife/husband can't catch them cheating. When the device is seized and physically hacked, that's a whole other matter altogether. If you want to defend against that you should swap your burner phone, Signal account and crypto keys out regularly. Failing that go with the Al Qaeda method and use couriers since I don't think Signal was intended to stand up to national security forces level hacking attempts indefinitely regardless of what Signal's marketing department says.
Re: (Score:2)
Changing your keys regularly can be a problem. To verify the new key you need to meet in person with your contacts. If you don't they the security services could change the key and your contacts will just assume you did it.
Even if you do that though it won't help much with this attack because the message history will still be on your phone.
Re: Cellebrite is the real deal (Score:4, Funny)
Taco Bell: Updates their menu to add sour cream to their chicken quesadilla
Barefoot: Prove it! You have zero credibility because you haven't hand-delivered quesadilla to me personally, Taco Bell!
Re: (Score:2)
Their product is the best there is.
An interesting way to refer to blackest of black hats.
Re: (Score:2)
Re: (Score:3)
Cellebrite will help just about anybody with money, "from private investigators to nation-states", to grab any data they want from any phone they like, without asking pointed questions about who really has the right to the data in each and every case. In fact, they just hand over copies of their tools to people they don't control, including known bad actors, and trust that those customers will do the "right thing".
That is "malicious damage", just as much as any other for-pay malware on the market.\
AND they
Re: (Score:3)
Grey hat. Google it.
Re: (Score:2)
I like "Dingy Hat"
Re: Cellebrite is the real deal (Score:2)
Not to be confused with dinghy hat, aka Hatty McHatface.
Re: (Score:2)
boldly states they can ruin somebodies phone app.
a for effort.
Re: Prove it (Score:2)
They just made almost-peace with Saudi Arabia and Syria.
But more because they are so alike and the Saudis with their literal shariah law look up to them for evilness.
Re: (Score:2)
Where would you feel safer walking through the streets with your wife and children? Saudi Arabia or Israel? Which country is known for detaining people for arbitrary reasons with no charge for months at a time? Which country is known for torture? Which country's rulers have absolute power over life and death of its inhabitants? Your "evilness" statement is utter nonsense.
Re: (Score:2)
When you're talking about "more evil" and "less evil", you aren't talking about "not evil".
Israel does more than its fair share of evil deeds. That they arguably aren't as evil as the house of Saud doesn't make them good, or even neutral.
Re: (Score:2)
I'm not sure what your point is. They are an Israeli company. I wouldn't attribute to America, as a whole, the invention of the beer hat or whatever other dumb thing some American company came up with.
Also, with the exception of Facebook, Israel is equally antagonistic in their relationships with all the actors you mention.
Re: (Score:2)
so we will see this product advertised on amazon dot com
Re: (Score:3)
It seems that you just type some key phrases from whatever thought process is going on in your mind, but there is no way for the reader to know what you're talking about.
Here's a tip: try writing complete sentences. I'm not trying to be snide or a dick or anything, you're just not communicating effectively.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
With past moments like this?
https://www.bleepingcomputer.c... [bleepingcomputer.com]
Apparently once again this is about doing far too little to protect the sqlcipher key.
Amateurs...
Re: (Score:1)
Bold claims need bold evidence. They need to show it not say it.
That kind of logic is usually valid, but it does not apply here. This is a serious and well know company that is known to sell working cyber weapons like this one. If they claim this works, you have to err on the side of caution. Thus you have to assume that this works and that Signal is broken now and therefore you have to re-evaluate your threat-model and switch to different products if needed.
Re: (Score:2)
No so bold.
From the announcement: "of any phone in their possession". I understand this to mean they can read already received messages, not intercept messages "in flight".
I don't quite know what's special about it.
Re: Cellebrite Physical Analyzer now allows lawful (Score:2)
It's not a stretch. It is an outriggt crime. With a prison sentence and all.
But hey, Mossad, right?
Legal term. (Score:2)
"Lawful intercept" is a legal buzz-phrase. It refers to the hooks governments require that communication product companies install to allow government spying, and various agencies (such as police departments) use of those hooks.
Re: (Score:2)
It means "technically legal", it certainly doesn't mean "in the sprit of the law" or "ethical".
Codswallop! (Score:5, Interesting)
Re:Codswallop! (Score:5, Insightful)
Their claim is that if they have access to your unlocked phone,
They can sell you that service, too.
Re: (Score:2)
Yes like 1+1=2, having remote access + local exploits = remote exploits.
People assume using WhatsApp, Signal or any other end-to-end encryption will secure their transmissions. Yes, that would be true while in transit. However once they reach to other party all bets are off. Especially for a modern phone with not one, not two, but at least three operating systems that has access to the radio: https://www.extremetech.com/co... [extremetech.com]
Re: (Score:3)
> if they have access to your unlocked phone
Most phones have radios with backdoors/exploits that allow DMA access from a privileged attacker.
Re: (Score:2)
Except the Signal app should be encrypting its storage to prevent easy extraction of messages. And the Signal app, if it's in a secure mode, should be demanding you lo
Re: (Score:2)
In fact If I, or anyone else has access to your unlocked phone, we could probably just launch the Signal app, and see your old messages.
In the US, in airport international zones, which are technically international turf, the DHS can detain you before entry and require you to unlock your computer and phone. They then root through them for hours. This is without a warrant or even cause for suspicion. It's just fishing.
Re: (Score:2)
I don't think this is true anymore.
https://www.nbcnews.com/tech/s... [nbcnews.com]
Why (Score:2)
I don't recall Churchill bragging about breaking Enigma during WWII.
Re: Why (Score:3)
Because they
1) want to sell it [well, not for long they won't]
2) want you to switch to their trojan horse messenger from a front business instead.
3) are morons [unlikely]
Re: (Score:2)
Re: (Score:2)
Because this type of attack is extraordinarily hard to mitigate, and unlikely to be something Signal can really do (a little cat and mouse, but that just gives them many iterations of upgrades to justify their long-term support contracts). And people aren't going to migrate away from Signal because of it - network effects are very real things.
Re: (Score:2)
Because this type of attack is extraordinarily hard to mitigate, and unlikely to be something Signal can really do
But the users of Signal that are of greatest interest to governments TLAs can take steps to mitigate. Using their own code over Signal to communicate for example.
This is announced, to get people off of Signal. (Score:1)
And onto whatever their front business if offering victims.
Make no mistake, Moxie's gonna be all over this and fix it ASAP, if it isn't merely a lie for them backdooring the Android it runs on, like everyone else would do.
I don't see how they could have broken perfect forward secrecy, unless the underlying cypher or key exchange had been broken. And that would have *way* bigger implications than just Signal.
EDIT: It's not broken! The had root! (Should've re (Score:3, Informative)
Excuse me,it is very late here.
Key line from the origial Cellebrite post "If someone has root access".
LOL. Yeah, you geniuses. I did that, a month ago, when I had to migrate from a broken phone. It's root! On the device! Of course you are toast then! It's not a secured device or OS!
Here's the Signal issue:
https://github.com/signalapp/S... [github.com]
Re: (Score:3)
Here's a hint of how it could work (Score:2, Informative)
Here's one likely avenue of attack, just to get your brain ticking, if you be be open-minded enough to consider the possibility that maybe, just maybe, Taco Bell might make tacos and Cellebrite might make mobile forensics software.
Please kindly read all three sentences that follow before throwing a tantrum, be avoid writing a reply that makes you look foolish.
1. When you open the app, you can see the messages you've received, which are from the messages database on the phone.
2. Some of those messages may ha
Re: (Score:3)
By your own logic, point No.2 can never occur.
I would have to go and read the specifics of the Signal protocol and the underlying messaging protocol that Signal protects, but I have this vague idea that this is a loosely-coupled system. Because the sender of a message cannot know at the time of sending that the recipient has their device and Signal both active, they rely on the network to buffer the messages. When the
Decrypted on line 32 of remoteToLocalStorageRecord (Score:2)
It's encrypted in transit. You can see here on line 32 it's decrypted in remoteToLocalStorageRecord().
https://github.com/signalapp/S... [github.com]
No need to guess how it works, we have the code.
Re: (Score:2)
Let me see (Score:2)
Re: (Score:2)
Re: (Score:1)
>Security group claims they can defeat its security, which no one else can
>You: "It's not actually a vulnerability"
I feel a lot better
Re: (Score:2)
That's a responsibility to some subset of the world (Signal users). These are researchers who supply software to police departments and TLAs to break encryption on phones. It's responsible to their user base.
Re: (Score:1)
Re: (Score:2)
I mean, assuming they believe in the governments they supply the software to, they found something they believe in that pays well. Facebook engineers (hell, most of Silicon Valley) seem to fit the same bill.
They found NSA's back door.. (Score:2)
Re: (Score:3)
> NSA has backdoors into almost every app. Signal isn't an exception.
Point to the LOC on Github. Oh, you can't.
Re: They found NSA's back door.. (Score:1)
Hot Damn! a product with very little need (Score:1)
But most LEO's don't know that.
I mean could just launch the freaking app in most cases.
Are LEO's having problems cracking the phones after they clone them?
Come on. Android security if you have the phone is obvious.
If they've automated the process, there might be cost incentives.
I doubt it. If so it hints at systematic abuse and cloning of phones as routine and without warrants.
If you have the End, of the End-to-End Encryption (Score:4, Insightful)
It's end-to-end encryption. If you have the End, you have the data.
From my read of this, they haven't done a thing to get at the data while it is in the middle, which is the part I thought Signal was focused on protecting. It's certainly the part I'm most concerned with.
I assume that if they can crack my phone, if they can authenticate as if they are myself, then they can get at whatever the Signal app would be willing to show me.
There's Still the Law (Score:2)
If Cellebrite are operating under a government-sourced signals-intelligence contract [for example, in the same way that BAH provide services to the government] then there may be an argument [may be] written in to the contract between the federal government and Celle
+++ BREAKING NEWS +++ (Score:4, Funny)
Is it just me (Score:2)
Or does anyone else get the urge to build the ultimate unhackable comms system when they read such articles?
- Fully air gapped
- Does not run on a phone
- Cannot be updated
Re: (Score:2)
I'm genuinely not sure if you're trolling. How is a system going to communicate if it is "fully air gapped?" Air gapping is (mostly) great for systems that do not need to cross-communicate, but you're explicitly talking about a "comms system."
Re: (Score:2)
Just thinking out loud. Perhaps QR codes or manually typed phrases like they use to encode bitcoin seeds. The BIP39 stuff. It's a hassle, but there are times when security is more important than convenience.
Re: (Score:2)
At Cellebrite, we "work tirelessly" (Score:5, Insightful)
At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives
Translation:
At Cellebrite, we pay cash for exploits, repackage and sell them to repressive governments the world over so they can find new ways to accelerate state surveillance, crackdown dissent, and jail/assassinate their citizens
If the vuln exists, thanks for the heads up (Score:1)
If the vulnerability noted in the post exists, Signal can (hopefully) close it and slam the gates.
Reading through the archived post, the following is doing a lot of heavy lifting 'The “data” field contains an encrypted json file, that once decrypted, contains the decryption keys of the sent attachments.' ; in the other cases, they were calling out where the information was found in the system, so I'm wondering how that worked.
Lastly, the tone of the author was leaning towards "these fools posted
Its not much of a secret... (Score:2)
Signal uses a sqlcipher database, which has a master key. For a number of years they even made the mistake of storing the database key completely in the clear on the device. A very quick search of github reveals the "sophisticated methods" this firm must have also used to "crack" signal...
https://github.com/Magpol/HowT... [github.com]
This might be one of the few cases where a thumbprint might be useful, you could for example cipher the sqlite key under it. Wannabe players...
Device Assumptions (Score:2)
'Authorities' is anyone with a bank account (Score:2)
Just ask Jamal Khashoggi what trusting 'Authorities' gets you.
illustrations: (Score:1)