Signal accuses Cellebrite security company of suspicion of security hole

Signal logo projected behind someone using a silhouette phone

Signal logo projected behind someone using a silhouette phone

The encrypted messaging app Signal says it has found a flaw in the software used by cybersecurity firm Cellebrite.

The two companies have been in conflict since Cellebrite claimed to crack Signal’s secure messaging last year.

In the latest spats, Signal boss Moxie Marlinspike joked that Cellebrite’s system got it after “falling off the track” in front of him.

And he claimed that the software was very flawed and easy to hack.

“There is virtually no limit to the code you can execute.” He wrote a blog, Suggests that flaws can be used to access data, change settings, etc.

“Prevention of copyright infringement”

In a statement, Cellebrite said, “We are constantly striving to meet and exceed the highest standards in the industry for our products and software so that all data generated by our tools is validated and legally sound. I am. “

Marlinspike said: “It’s a really incredible coincidence, and I recently went for a walk when I saw a small piece of luggage falling off the truck in front of me.

“Inside, we found the latest version of Cellebrite software, a hardware dongle designed to prevent piracy, and a strange number of cable adapters.”

He hinted at the motivation for posting a blog, saying, “Their software is often associated with security bypasses, so let’s take a moment to look into the security of our own software.”

And in a video full of satirical references to the 1995 cult film Hackers, Marlinspike clearly showed that he was running simple code on a machine running Cellebrite software. It was. He argued that this represents an easy way to endanger a security company’s system.

“It is possible to execute arbitrary code. The actual exploit payload can change the previous report undetectably, compromise the integrity of future reports (perhaps randomly), or data from a Cellebrite machine. It could steal, “he added.

Analysis box by cyber reporter Joe Tydy

Analysis box by cyber reporter Joe Tydy

They say revenge is the best dish to serve chilled, but in this case it was giggled.

Signal’s blog post is full of jibes pointed out as hacking references in Cellebrite.

The flaw, which Signal claims to have been found in the controversial Cellebrite technology, is embarrassing for companies that claim to be smart enough to break into a secure messaging system, if accurate.

And, of course, this was only a few months after Cellebrite claimed to have developed a way to decrypt private Signal messages.

Therefore, this cybersecurity revenge study seems to have left Cellebrite a question to answer.

Cybersecurity expert Andrew Morris best summarized the story when he tweeted.: “This blog post is an absolutely ruthless rap distrack nerd.”

And this hacking rap battle may have already ended with Signal Mike Drop.

The line began in December, when Cellebrite claimed to have cracked Signal’s encryption system. The blog post was later modified to downplay that claim.

Signal responded by calling the claim “quite embarrassing.” Criticize media coverage, especially BBC News coverage.

In a recent post, Marlinspike said: “One way to think about Cellebrite products is that if someone has an unlocked device in their hands, they can open their favorite app and take all the screenshots to save. That’s it. I’ll try again later. “

“Cellebrite basically automates the process for those who have the device in their hands.”

In its own statement, Cellebrite understands that “research is the basis for ensuring this verification and that legally obtained digital evidence is used to pursue justice. I’m doing it. “

“We will continue to integrate these standards into our products, software and Cellebrite teams to provide our customers with the most effective, safe and user-friendly tools,” he added.