Signal slams Cellebrite security company over alleged security holes

The Signal brand projected behind somebody utilizing a cellphone in silhouette

Encrypted-messaging app Signal says it has discovered flaws in software program utilized by cyber-security company Cellebrite.

The two corporations have been at odds since Cellebrite claimed to have cracked Signal’s safe messaging final 12 months – a declare it fiercely disputed.

In the most recent spat, Signal boss Moxie Marlinspike joked he had acquired Cellebrite’s system after it “fell off a truck” in entrance of him.

And, he claimed, its software program was so flawed he may simply hack into it.

“There are virtually no limits on the code that can be executed,” he blogged, suggesting the failings might be used to entry information, change settings, and extra.

‘Prevent piracy’

In a press release, Cellebrite stated: “We constantly strive to ensure that our products and software meet and exceed the highest standards in the industry so that all data produced with our tools is validated and forensically sound.”

Mr Marlinspike stated: “By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me.

“Inside, we discovered the most recent variations of the Cellebrite software program, a {hardware} dongle designed to stop piracy… and a bizarrely massive variety of cable adapters.”

Hinting at his motives for the blog post, he said: “Their software program is usually related to bypassing security, so let’s take a while to look at the security of their very own software program.”

And in a video loaded with satirical references to the 1995 cult film Hackers, Mr Marlinspike then demonstrated apparently running a simple piece of code on a machine running Cellebrite software, which he claimed showed an easy way to compromise the security company’s system.

“It’s doable to execute any code,” he added, “and an actual exploit payload would probably search to undetectably alter earlier experiences, compromise the integrity of future experiences (maybe at random), or exfiltrate information from the Cellebrite machine.”

Analysis box by Joe Tidy, Cyber reporter

Analysis box by Joe Tidy, Cyber reporter

They say revenge is a dish best served cold – but in this case, it was served with a giggle.

Signal’s blog post is full of hacking references and pointed jibes at Cellebrite.

The flaws Signal claims to have discovered in the controversial Cellebrite technology, if accurate, are embarrassing for a company billing itself as smart enough to crack into secure-messaging systems.

And this comes, of course, only months after Cellebrite claimed to have developed a way to crack private Signal messages – a claim since debunked.

So this cyber-security revenge research seems to have left Cellebrite with questions to answer.

Cyber-security expert Andrew Morris summed up this story best when he tweeted: “This weblog publish is the nerd equal of a fully ruthless rap diss monitor.”

And this hacking rap battle could have already got ended with a Signal mic drop.

The row started in December, when Cellebrite claimed to have cracked Signal’s encryption system, in a weblog publish it later altered to downplay the declare.

Signal responded by calling the claim “pretty embarrassing” and criticising media protection – notably that of BBC News.

In his most up-to-date publish., Mr Marlinspike stated: “One approach to consider Cellebrite’s merchandise is that if somebody is bodily holding your unlocked system of their arms, they may open no matter apps they want and take screenshots of every part in them to avoid wasting and go over later,”

“Cellebrite primarily automates that course of for somebody holding your system of their arms.”

In its own statement, Cellebrite said it “understands that analysis is the cornerstone of making certain this validation, ensuring that lawfully obtained digital proof is utilised to pursue justice”.

“We will proceed to combine these requirements in our merchandise, software program, and the Cellebrite crew, with a purpose to ship the best, safe and user-friendly instruments for our prospects,” it added.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *