Signal: Cellebrite claimed to have cracked chat app's encryption - BBC News

Signal: Cellebrite claimed to have cracked chat app's encryption - BBC News


Signal: Cellebrite claimed to have cracked chat app's encryption - BBC News

Posted: 22 Dec 2020 10:58 AM PST

By Jane Wakefield
Technology reporter

image copyrightSignal

Israeli security firm Cellebrite has claimed that it can decrypt messages from Signal's highly secure chat and voice-call app, boasting that it could disrupt communications from "gang members, drug dealers and even protesters".

A blog on its website detailing how it did it has since been altered.

According to one cyber-security expert, the claims sounded "believable".

But others, including Signal's founder, have dismissed them as being risible.

The BBC has contacted Cellebrite and Signal for comment.

Highly encrypted apps such as Signal and Telegram have become popular among people keen to keep their messages private. The adoption rates have worried law enforcement agencies, who feel they are hampering their ability to investigate crimes.

"Apps like these make parsing data for forensic analysis extremely difficult," writes Cellebrite.

The firm has a series of products, including the UFED (Universal Foresenic Extraction Device) - a system that allows authorities to unlock and access the data on suspects' phones.

Cellebrite provided a technical explanation of how it found a decryption key that allowed it to access the messages that Signal stores its database. It then described how it searched Signal's open-source code for clues as to how to breach the database.

"We finally found what we were looking for," it writes, with a full explanation of how it did it, which has since been deleted.

Its claim suggested that it could "crack" Signal on Android phones but did not mention Apple devices.

In response to people questioning Cellebrite's claims, the creator of Signal - Moxie Marlinspike - dismissed the idea that the app had been compromised.

"This was an article about 'advanced techniques' Cellebrite used to decode a Signal message on an unlocked Android device," he tweeted.

"They could have also just opened the app to look at the messages.

"The whole article read like amateur hour, which is I assume why they removed it."

John Scott-Railton, a senior researcher at Citizen Lab, an internet watchdog based at the University of Toronto, moved to reassure users that Signal "remains one of the most secure and private ways to communicate".

"If they are worried about their chats being extracted from a confiscated device, they can enable disappearing messages," he added.

'Extraordinary' claims

Signal, owned by the Signal Technology Foundation, puts privacy at the heart of its system, using a system that had been thought almost impossible to break.

The messaging app is endorsed by whistleblower Edward Snowden, who claims to use it "every day".

On its website, it says that it uses state-of-the-art, end-to-end encryption to keep all conversations secure.

"We can't read your messages or listen to your calls, and no-one else can either."

image copyrightGetty Images
image captionSignal is used by journalists, business leaders and others to have private conversations

Alan Woodward, a professor of computer science at Surrey University, said Signal was "one of the most secure, if not the most secure, messenger service publicly available".

"Signal employs end-to-end encryption, but goes further than apps like WhatsApp by obscuring metadata - who talked to who when and for how long," he explained.

"Cellebrite seem to have been able to recover the decryption key, which seems extraordinary as they are usually very well protected on modern mobile devices."

He added that if this was indeed true, it was no surprise Cellebrite would have altered its blog.

"I suspect someone in authority told them to, or they realised they may have provided enough detail to allow others - who don't just supply to law-enforcement agencies - to achieve the same result."

Related Topics

  • Cyber-security

More on this story

Signal Dismisses Cellebrite Encryption Claim - Silicon UK

Posted: 23 Dec 2020 08:11 AM PST

Security specialist Cellebrite has astonished the security industry with a claim that it has cracked the encryption of one of the most secure messaging apps on the market.

The firm in a blog post claimed that highly encrypted apps such as Signal are being increasingly used by criminals to evade police and law enforcement.

The mobile forensics firm noted that Signal not only uses end-to-end encryption for the data it sends, but the app also employs a proprietary open-source encryption protocol called "Signal Protocol".

google, encryption key

Cellebrite claim

Cellebrite said that its "Physical Analyzer now allows lawful access to Signal app data," it wrote. "At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives."

But that blog post has been extensively altered from the original one, in which it claimed that its product Universal Forensic Extraction Device (UFED) could access, lift and analyse data of mobile phones using the app.

It claimed it could decrypt messages from Signal's highly secure chat and voice-call app, boasting that it could disrupt communications from "gang members, drug dealers and even protesters"

But the reality is that Signal is used by many other people worried about privacy (i.e. journalists etc), and not just criminals.

The original Cellebrite blog post provided a technical explanation of how it found a decryption key that allowed it to access the messages that Signal stores its database.

It then described how it searched Signal's open-source code for clues as to how to breach the database.

"We finally found what we were looking for," it was quoted as written by the BBC, with a full explanation of how it did it, which has since been deleted.

Its claim suggested that it could "crack" Signal on Android phones but did not mention Apple devices.

Signal response

But Cellebrite's claim was quickly dismissed by the creator of Signal, Moxie Marlinspike, on Twitter.

"This was an article about 'advanced techniques' Cellebrite used to decode a Signal message on an unlocked Android device," he tweeted in a response to someone flagging to him Cellebrite's claim. "They could have also just opened the app to look at the messages."

"The whole article read like amateur hour, which is I assume why they removed it," added Marlinspike.

Questions remain

It remains to seen if Cellebrite really did manage to gain access to the decryption key, as that is usually well protected.

Rather, it seems that the exploit claims to worked via an unlocked Android phone, but Cellebrite has significantly altered its original blog on the matter, leading to question marks over the reliability of its original claim.

Indeed, some will ask why Cellebrite decided to publicly disclose "the issue" first, when it should have followed the responsible option and alerted Signal quietly that it had compromised its system.

Cellebrite was the firm that was reportedly hired by the FBI in 2016 to help access the locked iPhone belonging to the San Bernardino terriorist Syed Rizwan Farook.

6 Privacy-Focused Alternatives to Maps, Messaging, Search, and More - WIRED

Posted: 13 Dec 2020 12:00 AM PST

Most of us are so used to the apps we rely on, it's easy to stop thinking about how they work and what they do with our data. Most free services make their money from ads, and that means collecting data about our likes, our online activities, and our app usage.

There are better options: apps that will keep your data safe from unwelcome visitors and eager advertisers. And they might fit into your daily routine more easily than you expect.

Of course, Apple and Google take different approaches to user privacy—Apple makes money by selling hardware, whereas Google makes money selling ads, and that requires a lot of data collection and profiling. Even though Google promises to keep your actual personal data private, it does sell ads against the profile it creates.

By comparison, a lot of Apple's apps are already fairly well locked down from a privacy standpoint: Safari, Mail, Apple Maps, and so on. However, we've avoided both Apple and Google in this rundown to give you options across multiple devices and platforms.

Signal for Messaging

Screenshot: David Nield via Signal

You have a number of apps to choose for text messaging, but few are as security-focused as Signal (Android, iOS) while also working across multiple platforms with ease. As you would expect, end-to-end encryption is baked in as standard, and there's also a disappearing-messages option so you leave no trail behind.

While Signal might not be bursting with quite as many options and features as some of the other instant messengers in app stores, it does support voice and video calls, as well as group chats, file transfers, audio clips, and the all-important GIFs. Your biggest problem with the app might be convincing everyone in your contacts list to switch over to it, but we have a whole guide to Signal here to help you make the case.

Firefox for Web Browsing

Screenshot: David Nield via Firefox

Comments

Popular Posts

Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET

VPN browser extensions: Why you shouldn't use then - Tech Advisor

Police Target Criminal Users of Sky ECC Cryptophone Service - BankInfoSecurity.com