A Quick Plug
Katherine Druckman and Doc Searls chat with Kyle Rankin and Shawn Powers about Signal’s exposure of vulnerabilities in Cellebrite’s mobile device hacking software..
Signal’s founder, known as Moxie Marlinspike, recently posted a quite thorough outline of significant vulnerabilities in the Cellebrite phone analysis software used by law enforcement and governments around the world to extract data from mobile devices. As this software has reputedly been used in ethically questionable ways, it makes perfect sense that a hacker/privacy activist would target Cellebrite, and especially after word got out (erroneously) that Signal’s app was vulnerable to Cellebrite software.
The blog post went as far as to suggest that an app could effectively booby trap itself to completely undermine the Cellebrite system.
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Also interesting are the potential legal consequences of these vulnerabilities. A Maryland lawyer is currently challenging a conviction that was largely based on evidence gathered using Cellebrite’s analysis on the basis that its integrity is now highly questionable.
Kyle Rankin and Shawn Powers joined us in last week’s episode to talk through this news, and other issues. And interestingly, we previously discussed the new trend of schools using Cellebrite tools to violate student privacy in Episode 52: Fragmentation and Outrage of the Week, which is frankly just as outrageous today as then. Is this latest hack perhaps a little karmic justice?
Please feel free to reach out here in a comment, or on any of our social outlets, or via our contact form.
That Awesome Video
This is a must-watch video, originally posted in the Signal blog post. We promise it will speak to your hacker soul.
This Week’s Reading List
Signal >> Blog >> Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective — Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software. Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.
Australia’s vague anti-encryption law sets a dangerous new precedent - ProtonMail Blog — the Australian government and its Labor partners rammed a shockingly invasive anti-encryption law through Parliament, over the objections of experts, businesses, and civil rights groups.
Australia's Encryption-Busting Law Could Impact Global Privacy | WIRED — Australia has passed a law that would require companies to weaken their encryption, a move that could reverberate globally.
P versus NP problem - Wikipedia — The P versus NP problem is a major unsolved problem in computer science. It asks whether every problem whose solution can be quickly verified can also be solved quickly.
Data Double Dipping: When Companies Mine Paying Customers – Purism — There’s an old snarky saying among privacy advocates: “If you aren’t paying for something, you are the product!” This updated version of “There’s no such thing as a free lunch” arose in the Internet age among the ever-growing list of free services and apps on the Internet funded by collecting and selling your data to advertisers. If large companies like Google and Facebook are any indication, a lot of money can be made with user data and the more data you collect, the more money you can make.
Eva Galperin: What you need to know about stalkerware | TED Talk — "Full access to a person's phone is the next best thing to full access to a person's mind," says cybersecurity expert Eva Galperin. In an urgent talk, she describes the emerging danger of stalkerware -- software designed to spy on someone by gaining access to their devices without their knowledge -- and calls on antivirus companies to recognize these programs as malicious in order to discourage abusers and protect victims.
Reality 2.0 Episode 52: Fragmentation and Outrage of the Week — Doc Searls and Katherine Druckman talk to Kyle Rankin about fragmentation and software development, the Amazon Halo, and surveilling school children.
This Is How They Tell Me the World Ends — From New York Times cybersecurity reporter Nicole Perlroth, THIS IS HOW THEY TELL ME THE WORLD ENDS is the untold story of the cyber arms trade-the most secretive, invisible, government-backed market on earth-and a terrifying first look at a new kind of global warfare.
We look forward to sharing our weekly recaps, reading lists and inspiration with you as we navigate our collective digital reality. Cheers until next time!
Thank you especially to our Patreon supporters who help us keep the podcast and newsletter going!
Note: Please add us to your address book so we don’t end up in your spam folder.
If you enjoyed this edition, please click the heart below to let us know!