The Prestige

Moxie Marlinspike of Signal Foundation and the Signal app
Moxie Marlinspike of Signal Foundation and the Signal app

The Pledge

The final shot of Let The Right One In is a nonpareil revenge ending. After an entire movie of bullying, we taste saccharine joy in the grand payback we dream of executing on our foes (watch the clip or watch the movie, spoiler alert).

There is something infinitely satisfying in people getting their comeuppance, and that last act where it’s revealed to us is a hell of a dopamine hit.

Add Signal to that collection of hits.

To know Signal and their affront – and we’ll get to what Signal is in a second – you have to know Cellebrite. (Cheery name, nefarious business.) A “digital forensics company” that promises to “protect and save lives” and “bring justice to victims and convict bad actors in the most challenging cases,” you’d read their marketing materials and hand over your life to them. In order to make good on the promises of “justice,” the company makes myriad products to assist individuals and organizations in accessing and collecting digital data. Specifically, there are these two:

  • UFED, a program that allows one to “lawfully access locked devices with ease,” aka bypass security protocols like your facial recognition, phone passcode, and more
  • Physical Analyzer, a program that, once UFED has done its job and you’re in the device, reveals and analyzes “key pieces of digital evidence (and) trace events,” aka files, folders, and metadata. (Like every location you’ve ever been at when you took a photo.)

In a best-case scenario, technology like this is used for good. Terrorist phone found, it’s unlocked, unencrypted, and reveals the location and plans of future terrorist actions, plot thwarted. Good guys win.

If only there were more money in that line of work.

The Turn

In true-case scenarios, Cellebrite is one of the more iniquitous actors on the stage. Their largely secret operations provide software to law enforcement agencies to questionably profile large groups of humans and manipulate personal liberties. According to Upturn, a Washington, DC-based 501(c)(3), that deals in policing, government, and technology, “given how routine these (mobile device) searches are today, together with racist policing policies and practices, it’s more than likely that these technologies disparately affect and are used against communities of color.” As they write, “Every American is at risk of having their phone forensically searched by law enforcement.”

Cellebrite would love that.

Law enforcement in all 50 states and in DC have purchased some form of mobile device forensic tool (MDFT). “State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones,” VICE’s Motherboard wrote; state police departments have spent over $11.5MM on MDFTs since 2015 (Appendix C – with locales listed, too).

Signal itself has also written that Cellebrite’s “customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.”

In its quest for a global police state that leverages its products, in early December, Cellebrite announced support for breaking into Signal, claiming they can now “help law enforcement lawfully access the Signal app. … At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives.”

There’s only one catch: That’s impossible.

The Prestige

Ralph Waldo Emerson wrote, “When you strike at the King, you must kill him.” Cellebrite came after the wrong monarch.

Moxie Marlinspike is the pen name for Matthew Rosenfeld, the man who founded the Signal Foundation. That nonprofit is dedicated to providing open-source tech (read: free for everyone) to protect “free expression and enable secure global communication.”

The jewel in that King’s crown is Signal, a true-encryption messaging application that has no ads, no trackers – nothing. Whereas other messaging (and social) apps claim to “responsibly manage” your data, Signal just flat out doesn’t store it. It has end-to-end encryption, ensuring a level of privacy the watchmen hate. They would much prefer to “responsibly” police your state rather than treat you as innocent.

The private app has been used by people to truly avoid unlawful, unwanted, and unsolicited surveillance, a lot of which comes from the government of the citizens. There is no possible way to interpret the app’s metadata. So when the company claims that “Cellebrite Physical Analyzer now allows lawful access to Signal app data,” it’s a deliberate lie.

Thus, Moxie has a counterargument to make.

This means Signal can package a file in their app that only runs when the phone is hooked up to a Cellebrite program, and, when that does happen, execute code.

Once they came after his app, he decided to do some investigating of his own, writing up his findings on Signal’s blog. Lying inside Cellebrite’s products he finds sweet, sweet revenge.

Because Cellebrite’s software makes claims in the ballpark of bypassing security, Moxie examined Cellebrite’s product security. Under the hood, he found that a number of industry-standard risk- and exploit-mitigating defenses aren’t even there. (Moxie points to a third-party plugin that their products leverage that was last updated in 2012; since then, over 100 security updates have been released, all of which can be exploited in Cellebrite’s software.)

This means Signal can package a file in their app that only runs when the phone is hooked up to a Cellebrite program, and, when that does happen, execute code. If one were so inclined, that code could, as Moxie relays, alter the results of not just the scan being performed on the current phone but also alter the results on every scan ever performed or will be performed by that Cellebrite machine. It can be done in actual stealth (technically, “with no detectable timestamp changes or checksum failures”).

And that’s only one of the many, many ways the exploits Moxie found can be exploited. Moxie also documents the company’s use of pirated libraries from companies like Apple to create their products, something Apple is no doubt interested in knowing about.

The icing on the cake: Signal will be randomly assigning these reverse-exploit files with random versions on random app installs that will never interact with the Signal app in any capacity. The only significance is to (rightfully) call into question the integrity of all past, present, and future data from Cellebrite.

It’s a thing of nerd beauty. Or, as Omar says, you come at the king, you best not miss.

Photo by Jason Henry/The Wall Street Journal