21 votes

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective

6 comments

  1. [3]
    skybrian
    Link
    Here's a followup from someone who is not very impressed with this blog post: I have a lot to say about Signal's Cellebrite hack

    Here's a followup from someone who is not very impressed with this blog post:

    I have a lot to say about Signal's Cellebrite hack

    7 votes
    1. [2]
      Greg
      Link Parent
      Interesting piece - a "written by and for lawyers" counterpoint to Signal's "by and for hackers" post. I'd say you can safely skip straight to Part III: Why It Matters if you're already reasonably...

      Interesting piece - a "written by and for lawyers" counterpoint to Signal's "by and for hackers" post. I'd say you can safely skip straight to Part III: Why It Matters if you're already reasonably familiar with the situation.

      While I don't think it was overly verbose per se (the context and explanation adds weight and defensibility; like I said, by and for lawyers), for me the crux of what the author said boils down to:

      • Cellebrite, and other law enforcement software, is shitty, insecure, and needs to be held accountable
      • Proving that any specific vulnerability was crucial in a past conviction is unlikely, but pointing them out will give defence lawyers more opportunity to challenge Cellebrite evidence in ongoing cases
      • Signal are alluding to doing something very illegal, and are doing so in a cutesy nudge-and-wink way that appeals to a hacker/techie audience
      • This is the polar opposite of presenting the same issues in a way that would appeal to lawyers and judges
      • The law won't applaud your clever workaround, it'll throw the book at you
      • The uneasy security race between Cellebrite and Apple/Google is actually giving law enforcement just enough access to reduce government pressure for mandated backdoors
      • While the just outcome either way would be that Cellebrite fixes their shitty software, the political reality is that Signal's blog post makes it easy to paint them as criminals to Congress
      • If Cellebrite is undermined, and Signal are the bad guys to Congress, it's easier to justify banning what they do and by extension banning end to end encryption all together
      5 votes
      1. skybrian
        (edited )
        Link Parent
        Yeah, it’s a plausible argument though it comes down to judgement calls about political perception and unpredictable future events. Maybe Signal should be acting more respectable and leave the...

        Yeah, it’s a plausible argument though it comes down to judgement calls about political perception and unpredictable future events. Maybe Signal should be acting more respectable and leave the hacking to people with nothing to lose? But they probably also care about geek cred. (And money, as the plans to add support for cryptocurrency show.)

        Signal getting banned from app stores seems like a realistic threat to worry about and arguably the best thing they could do is just do nothing, run the service as it is with minor improvements, and benefit from status quo bias. (Sort of like Craigslist.)

        The argument against that is that it would be boring, losing market share and support from users.

        1 vote
  2. shiruken
    Link
    I'm guessing that law enforcement agencies aren't that judicious about updating software so this could completely undermine the use of Cellebrite.

    I'm guessing that law enforcement agencies aren't that judicious about updating software so this could completely undermine the use of Cellebrite.

    6 votes
  3. petrichor
    Link
    Fantastic article. While I've ragged on Signal in the past for their actions with regard to handling work and exploit reports from their community, this is an example of them really shining.

    Fantastic article. While I've ragged on Signal in the past for their actions with regard to handling work and exploit reports from their community, this is an example of them really shining.

    5 votes
  4. AugustusFerdinand
    Link
    This is one of the most beautiful things I've read in quite some time. Will be interesting if it continues to gain attention and triggers lawsuits from Apple considering Cellebrite is looking to...

    This is one of the most beautiful things I've read in quite some time.

    Will be interesting if it continues to gain attention and triggers lawsuits from Apple considering Cellebrite is looking to go public soon and I can't imagine those things being great for their stock price.

    4 votes