Signal slams Cellebrite security company over alleged security holes

Image source, Getty Images

Encrypted-messaging app Signal says it has found flaws in software used by cyber-security company Cellebrite.

The two companies have been at odds since Cellebrite claimed to have cracked Signal's secure messaging last year - a claim it fiercely disputed.

In the latest spat, Signal boss Moxie Marlinspike joked he had acquired Cellebrite's system after it "fell off a truck" in front of him.

And, he claimed, its software was so flawed he could easily hack into it.

"There are virtually no limits on the code that can be executed," he blogged, suggesting the flaws could be used to access data, change settings, and more.

'Prevent piracy'

In a statement, Cellebrite said: "We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound."

Mr Marlinspike said: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me.

"Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy... and a bizarrely large number of cable adapters."

Hinting at his motives for the blog post, he said: "Their software is often associated with bypassing security, so let's take some time to examine the security of their own software."

And in a video loaded with satirical references to the 1995 cult film Hackers, Mr Marlinspike then demonstrated apparently running a simple piece of code on a machine running Cellebrite software, which he claimed showed an easy way to compromise the security company's system.

The BBC is not responsible for the content of external sites.View original tweet on Twitter

"It's possible to execute any code," he added, "and a real exploit payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports (perhaps at random), or exfiltrate data from the Cellebrite machine."

They say revenge is a dish best served cold - but in this case, it was served with a giggle.

Signal's blog post is full of hacking references and pointed jibes at Cellebrite.

The flaws Signal claims to have discovered in the controversial Cellebrite technology, if accurate, are embarrassing for a company billing itself as smart enough to crack into secure-messaging systems.

And this comes, of course, only months after Cellebrite claimed to have developed a way to crack private Signal messages - a claim since debunked.

So this cyber-security revenge research seems to have left Cellebrite with questions to answer.

Cyber-security expert Andrew Morris summed up this story best when he tweeted: "This blog post is the nerd equivalent of an absolutely ruthless rap diss track."

And this hacking rap battle may already have ended with a Signal mic drop.

The row began in December, when Cellebrite claimed to have cracked Signal's encryption system, in a blog post it later altered to downplay the claim.

Signal responded by calling the claim "pretty embarrassing" and criticising media coverage - particularly that of BBC News.

Media caption,
What is encryption?

In his most recent post., Mr Marlinspike said: "One way to think about Cellebrite's products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later,"

"Cellebrite essentially automates that process for someone holding your device in their hands."

In its own statement, Cellebrite said it "understands that research is the cornerstone of ensuring this validation, making sure that lawfully obtained digital evidence is utilised to pursue justice".

"We will continue to integrate these standards in our products, software, and the Cellebrite team, in order to deliver the most effective, secure and user-friendly tools for our customers," it added.