127 comments

[ 3.4 ms ] story [ 213 ms ] thread
Here's the other fun thing to consider about this story....

Do you think Signal is the first or only one to set traps for Cellebrite?

probably. cellebrite is really a police-level tool, and the people who worry about it are journalists, activists, and petty criminals, none of whom really have the resources to find or deploy something like this.

if a state agent is worried about this kind of thing they just carry a clean device, and for most of them if they are ever in a situation where their device is inspected, the game is already over.

> if a state agent is ... ever in a situation where their device is inspected, the game is already over.

(I don't think the above summarization alters the intent of your statement.)

IMO, if you're at "state agent" level, well, just about all the countries either have the manufacturing capacity, either locally or through agency partnership with ally countries, to construct devices capable of maintaining a clean the appearance even while being examined with very expensive equipment.

For example, you could probably do a lot if you could replace the 0th-stage bootloader in the NAND controller. And NAND is manufactured at such crazy scale, the one-off test runs probably wouldn't be all that expensive, and the turnaround time might even be weeks to days.

Well, to me that sounds like it would be a very juicy target for other nation states. Country A does not like country B, country B is known to often use these devices and many of their "victims" are persons of interest for country A's intelligence organizations. Those people know it so they don't travel to country A or take special precautions, but because country B is friendly, they don't do the same things. So country A puts the exploit to couple of people's phones and they travel to country B. Country B scans the devices and now the only issue country A has now is how they will exfiltrate the data without raising alarms.
> cellebrite is really a police-level tool

it's widely used by phone-shop- and carrier service staff to migrate data.

Just link to the original blog post by Moxie instead?

https://signal.org/blog/cellebrite-vulnerabilities/

> We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.

Love it.

A GPL style vulnerability sharing agreement. The “in the future” is the real delicious clause.
Ideally it should be AGPL.
Cellebrite's terrible response is also noteworthy. Responding to claims of vulnerabilities by saying you "save lives" and don't sell to sanctioned countries shows how seriously they take security.
Signal saves lives too. No doubt certain users would be assassinated if their messages were intercepted.
yeah, like pedophiles.
Doesn't even have to be assassinated, just plain old killed for being gay or imprisoned for saying something negative about the regime.
Thanks — the writing in the gizmodo article is pretty bad.
Moxies response is pretty brilliant. Sounds like cellbrite has a lot of patching to do and a potential lawsuit from Apple to defend.
Sounds like cellbrite has a criminal investigation coming their way. While there is a chance that the code made its way to them in a way that they would only be civilly liable I find it hard to believe that there was not some action that delved into the criminal realm.
I worked for Apple 10+ years ago, and cellebrite was used by Apple Geniuses in Store for data recovery. It doesn't surprise me at all that here is Apple code in it.
Considering they use Cellebrite, do you think they were aware of the Apple assets being bundled but decided to say nothing as long as it wasn't made public? (i.e. as long as they did not have a copyright to defend or lose)
You're thinking of trademarks. They don't have to do anything about use of their copyrighted materials if they don't want to.
Apple make a big deal about being a privacy-focused company. Right now, Apple code is being used to invade people’s privacy. They “have to” address this or it becomes a PR issue for them.
Possibly. The spotlight is also now on Apple to explain if parts of iTunes is being used to incriminate persecuted groups (journalists, homosexuals, activists, etc) what are they going to do about it?
> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

I assume those images are going to be for the benefit of somebody looking at data extracted through Cellebrite?

Probably they'll be the files that he talks about earlier which exploit the Cellebrite machine and fuck up all the reports. Or maybe it's just nothing.
If this isn't merely a joke, and these proposed files are intended to contain Cellebrite exploits of some kind, then please, Moxie, let us have an opt out?

As it stands, if law enforcement for some bizarre reason decide to examine my personal devices, there will be nothing on there of interest to them. If Signal start bundling exploits onto my device, that will no longer be the case. That's a potential risk to me, and Signal should be asking my permission before taking the risk.

I probably broke 10 laws/regulations without knowing it just this morning before coffee, what makes you think you know you're "innocent"?
Dont think of them as cellebrite exploits but as Signal security features.

Yes you have nothing to hide, but the police in many cases aren't honest. What if you live in the Middle east and are gay, you use signal, this protects you. Cellebrite are happy to sell their product to oppressive regeimes and if you are black the US police could be considered oppressors.

If you're being oppressed by a repressive regime, having a phone that damages the oppressor's infrastructure may not have a positive outcome for you, the individual.

"Hey, your phone corrupted our 'lawful' intrusion system. That violates a long list of statutes. We're going to beat you with this wrench now, because you made our day worse, and then charge you with crimes against the state."

If they will beat you with a wrench for that they will beat you regardless of what is in your phone. If they do find something they dont like you get hit with the wrench, if they don't find anything you must be hiding it so you get beat with the wrench.

So now we are saying don't protect yourself because if you do that would imply you have something to hide,and are therefore guilty and deserving of the wrench beating.

My concern is really, "Signal has a beef with Cellebrite, and so some unsuspecting and innocent person gets hit with a wrench."

It is a different game if Signal makes the sharding opt-in. If someone vacuums my phone and it turns out that my treatise about Little Bobby Tables [1] breaks the vacuum, that is fine by me.

[1] https://xkcd.com/327/

We should all have beef with cellebrite. Have you seen their customer list?

If they make it opt-in then surely that is worse for the user. Then the oppressive regime can say "you deliberately did this thing".

The older I get, the more I find myself reticent to impose my 'shoulds' (I have many :) ) upon others. It is a complicated world.
Using signal is opt in, and using it is likely a reason to be hit by a wrench by these regimes anyways.
In this (somewhat contrived) scenario where authorities are targeting your phone for surveillance solely to access a possible exploit file placed there by Signal, how would an opt-out option help you? Do you imagine that you could explain to the authorities that you opted out, and they would send you on your way? Or do you imagine that they would hold you personally responsible for the exploit, even though Signal has publicly taken credit for doing this?
That is not the scenario I'm outlining.

I am outlining a hypothetical scenario where the authorities choose to look through my phone for ${UNRELATED_REASON}, and the presence of Signal's hypothetical exploit files would cause their digital forensics software to crash. In this hypothetical scenario, that crash in and of itself could then be taken as a reason to charge me. I don't believe "the app software maker selected my phone at random to have those files on it!" would help me out in that situation; that's the sort of nuance that tends to get completely lost.

The opt-out option would help me because, having opted out in advance, the hypothetical exploit files would not be on my phone.

I do agree that this is a slightly far-fetched scenario. However, I am very confused how HN can generally be of the opinion that having unwanted malware on your phone is a good thing, even if Signal put it there.

I think this is my first-ever comment on HN, and I'm basically just chiming in to say that under no circumstances should you even be talking to police in a situation like this. You can politely ask for a lawyer, politely ask if you're being detained and politely provide your basic information when asked like your name and address, but otherwise do not say anything at all.

This fantasy that you can get away from a situation in which you are being interrogated and your phone is being searched by being compliant and proving your innocence to the nice police officers is extremely dangerous. Being compliant and providing information beyond what's legally required is the exact opposite of what you want to do, and preventing yourself from being charged should be the last thing on your mind. You should take it as a given that you will be charged.

edit: If you're outside the USA ignore this advice and listen to someone more local who knows their stuff.

> cause their digital forensics software to crash.

Why would they make it crash the software though? There's no reason to do anything that's visible to the operator, perhaps it just alters data previously downloaded from other devices and then deletes itself. Or changes nothing other than adding a friendly file called moxie.says.hi.txt

(comment deleted)
What's with all the downvotes? The parent is asking a reasonable question and making a reasonable request.
there are plenty of things to fear in police custody and the police don’t need a reason like that for any of them. they will simply do it if they want.
Except there's no guarantee your phone will even contain a payload. Just the chance that some devices may have it, and there's no way to know for certain. And if they take in even one phone to scan that carries the exploit, it can make past, current and future evidence rendered untrustworthy. It's herd immunity via the prisoner's dilemma.
I assume most likely these are being used to defeat/render ineffective one of Cellebrite’s features. By having other (benign) data travel alongside your data... it makes it harder for an attacker to know what data is “useful”.
No... if you read the article carefully, the outline goes something like this:

1. We found a cellebrite kit that "dropped out from the back of a van" (yeah right lol)

2. Cellebrite is a tool to extract data out of phones (general intro to what Cellebrite is)

3. Looks like Cellebrite is using a bunch of open source libraries and they also use Apple DLLs (???!!!)

4. Oops looks like they are using like YEARS old libraries and there are hundreds of KNOWN vulnerabilities on each of those libraries.

5. Oops looks like the vulnerabilities allow ACE. Here's a demo where we placed a carefully crafted file with the ACE payload on a phone where if you just click the scan button on Cellebrite's software, you can do ACE (this is the video in the middle of the article)

6. (by the way for cellebrite users) this calls into question all data extracted with Cellebrite since these exploits are trivially exploitable. There are so many exploits possible so you can use any of them to create ACE attacks.

7. For COMPLETELY TOTALLY UNRELATED AESTHETIC REASONS we are putting some files on the Signal app. You're welcome!

---

to spell it out: yes, they are putting ACE payloads on Signal to try to crash investigators/spies/whatever trying to use Cellebrite on phones with the Signal app.

I like 6 a lot, could be an avenue for legal refutation of obtained evidence (in a supposed crime or other illegal activity), 7 is a bit unnecessary.
Not at all!

7 is actually a lot more subtle, I didn't get it at first. They're putting some files on some signal phones, somewhat randomly, and only those which seem like they've been in active normal use since before this disclosure. So likely none of the devices Cellbrite might own for testing, and no device Cellbrite might buy in the future, but some random set of existing devices in the field. And there might be multiple such files, so even if Cellbrite find one they can't be sure they've got them all.

Now assume these files are (as somewhat implied) exploits that cause the falsification of data in all current and future reports issued by a given Cellbrite device.

That means that if a Cellbrite has, after this point, ever scanned a phone with Signal installed it might be issuing false reports.

THAT means that there's a reasonable doubt in any evidence obtained by the use of a Cellbrite device, going forward. That gives an easy out to defense attorneys in the US, where Cellbrite devices are used by police to gather evidence.

Any defense attorney can now argue that evidence obtained from a Cellbrite shouldn't be admitted in court, since they don't maintain forensic integrity. This essentially spoils Cellbrite's entire business in the US (and any other country with similar standards for the admissibility of evidence).

So Cellbrite has to find ALL the exploits in their system, and be very, very sure they've not missed any. Because defense attorneys will then try to call that into doubt. Etc.

Already discussed in depth at https://news.ycombinator.com/item?id=26891811
I saw the original post, but was unfamiliar with anything in the title. I chose to skip it. The title of this post sounded much more interesting to me, so I clicked on it today.

While not judging a book by the cover, this cover was definitely more attractive to my atention span.

I did exactly the same. Sometimes the title is relevant if you are already on the blog so you are aware of context, here though I missed it until I read about it elsewhere, then I can back to find the thread.
I understand, and of course all of us are subject to that mechanism, but we can't run HN that way (not that you're saying we should). Threads of the second freshness pointing to mediated sources that come out after HN has already had a major discussion—and sometimes even because HN has had a major discussion—fail the following heuristics:

We downweight follow-ups that don't contain significant new information: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor... and https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...

Repetition is not good for curiosity: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...

Front page is the scarcest resource: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

... and no doubt a bunch of others.

but it's not even on the third page as far as i can see. Can you at least maybe transfer the thread and upvotes, or otherwise refloat it to at least the second page?
Only if you take Signal’s word for it.

As impressive as the hack looks, we are putting trust in Signal that it’s real since they didn’t disclose the vulnerability and no one else has reproduced it. It could just be a clever attempt at socially engineering the public opinion of Cellebrite.

I posted a more detailed analysis on the original story: https://news.ycombinator.com/item?id=26898638

Even if they published the vulnerability, none of us could attempt to reproduce it anyway because the software isn't available. (I mean, unless another one falls off a truck. ;)

Public opinion of Cellebrite was already extremely low.

> It could just be a clever attempt at socially engineering the public opinion of Cellebrite.

If so, that sounds potentially libelous (IANAL).

Indeed. This whole effort was done out of retaliation and spite, so I wouldn’t put libel beneath them either.
It's not libel if you can prove it's true.
If Signal cannot prove the vulnerability is real, which they contemptuously refuse to do in blog post, then it stands as libel.
(comment deleted)
Even if that were true, those trade secrets will never be defended in open court. The best Cellebrite can do here is a PR campaign to downplay the veracity of this.

"There's nothing to see here, folks!"

If signal was lying, it would probably be easy to prove (at the very least the version of ffmpeg included is easy to prove/disorove. Ditto on the apple libraries).

Honestly, i would be very surprised if cellebrite didn't have massive vulns. Its the type of software that always does.

From Signal’s blog post:

> As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then.

This purported vulnerability is not related to FFmpeg in any way, hence the disclaimer.

Haven't even clicked the link, but didn't the original post say it's not even a "cracking" tool, it just extracts backups via the supported backup methods?
You have options to unlock phones without having the password with Cellbrite.
Not my area of expertise, but the typical use case given in the Signal blog post supposes an "unlocked device in your hands" --

> ...One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands.

It's very carefully worded ("One way...") to not exclude unlocking without password, though. Perhaps Cellebrite also has password guessing capability?

If there’s proof that they’re selling apple’s code that could be the end of the company.
unless Apple has been complicit in this effort and that's why the FBI hasn't gone hard at them.
I would prefer not to let Signal casually guide the press cycle's attention away from the fact that they're still planning on shipping a cryptocurrency grift to exploit end users. Don't forget that Signal is a corrupt organization.
Could you please explain how an optional feature is user exploitation?
It is a pre-mined coin. The creators of this cryptocurrency have sequestered away a large fraction of all possible coins for themselves.
First I’ve heard of it. If your goal is to keep that topic in the collective mind, don’t you think you should provide some link or context or something for the people who have no clue what on earth you’re talking about?
If the "it fell off a truck" story is to believed, this whole thing reeks of a honeypot. Waaay too convenient.
"Falling off a truck" is usually a euphemism for obtaining something through nefarious ways. He probably got it from a friend in the police department or something similar.
so i think. The means through which the device was obtained must have conformed to at least the barest definition of the word 'legal'. I think so for the purely logical reason that signal wouldn't be crowing like a rooster over stolen property. Though obviously, they didn't exactly walk into cellebrite and request a <whatever it was> by the front desk....
what's to prevent Apple from doing something like this directly within the OS? Negative publicity? Would it be considered negative? Is it scorched earth?
My 65 year old mother and I use Signal as we live across the planet from each other.

She's due for a new phone soon, and the cell companies use Cellebrite to transfer data from one phone to another.

She will almost certainly want them to do it as I'm not there to help her in person.

What happens when Signal shards to her device and uses it as a weapon against the machine and her phone is bricked or she's liable for the machine's costs or our entire history is deleted or something just as destructive?

Please don't force your threat model down our throats. Your hacktivism is not my hacktivism. This shit better be opt-in.

It's not Signal's job to work around deficient carrier tools.
It's not Signal's job nor their place to weaponize their users' devices without permission.

This is incredibly unethical.

You're fabricating complications which don't make any technical sense as a justification to be angry about this basically harmless gesture. If you are that averse to the idea of being even remotely complicit in jamming the surveillance state, just don't use Signal.
Firstly, never has it been a requirement to "jam the surveillance state" to be a user of Signal. That's absolutely bananas.

Did you read the text at the bottom of the post? They are randomly installing malware on users' devices to break or harm or otherwise self-destruct when Cellebrite machines read them.

I'm not speaking for myself. I would opt in personally. I'm speaking for my mother who just wants a secure and reliable line of communication with her son without being pulled into some offensive scheme that could land HER in trouble or cause damages.

If something is broken or destroyed without user knowledge or understanding or consent, you better believe Signal will see court cases.

there are plenty of other options than Signal, vote with your feet
Name another privacy respecting application that can do calling and video between two phones with e2ee and is simple enough for a 65 year old non-tech-savvy woman to use. I'll switch her over immediately.
Viber, Telegram?
Telegram is a joke, it constantly gets censored in countries with totalitarian regimes.
The exploit targets Cellebrite, not Signal's own software. Cellebrite is running on the machine doing the extracting and not the device containing the original data.

It's entirely possible that I'm wrong and this will cause your phone to explode, but if you don't trust the Signal developers enough to assume they won't intentionally explode your phone, you probably shouldn't be using their product.

I understand this. I'm saying my mother shouldn't be on the hook for her phone bricking a celebrity device used in good faith.
My reading is that the owner of any device the provider previously plugged in to could exfiltrate your mother's data by installing a persistent backdoor. Since this is a phone, I assume this includes email, passwords, etc. and they could use this data to e.g. access your mother's financial accounts. This is a fantastic vector for criminals.

Signal is providing a strong, albeit rude (likely in response to Cellebrite's claims), incentive to fix their shit. Would you rather have a temporary period where transfers weren't working, or deal with the scenario above in a year?

> weren't working

If that were the case, fine. But the post does not specify the effect of the "aesthetically pleasing" files. They could destroy all Signal data or irreversibly harm the machine itself.

We just have to "trust" the Signal devs to not do that?

This is not how security should work.

Huh? Don't you trust the Signal devs to not destroy all Signal data every day?

You're trusting the Signal devs to your keep messages safe and secure. I don't know if that means wiping all messages when accessed via Cellebrite, but that seems like a reasonable option. My assumption would be that they will just crash or brick the Cellebrite software. Either way and completely independently of the aesthetically pleasing files, if you disagree with the choices Signal makes to keep your messages safe and secure, there are many other messaging options that you can use.

Publicly calling out big security problems is exactly how security should work (notwithstanding specifics of disclosure).

Because when my mother has to transfer her phone, she'll then be liable for thousands of dollars of damage to their property, and she'd otherwise have no idea why.

That's the problem. The fact nobody sees the effects of this is absolutely surreal and alarming.

Yeah, that's not going to happen
(comment deleted)
I’m not sure how your judicial system works but, in my country you can’t be hold responsible for something that “you have no idea why”. That’s not how liability works.
In the US, you are not exempt from liability just for ignorance.

If you don't know how to pay your taxes, you're still required to pay your taxes.

On what basis would you sue someone for software crashing when you plug in their device?
Property damage, of course.
I think what you're missing is that Signal does not need to place any files on any phones for their purpose, and likely will not ever do so.

Their intention is to render using Cellebrite for court evidence worthless by suggesting that the record could have been tampered with at any point, if any phone the user scanned had Signal on it.

Proving that no phones ever had an 'aesthetic' file that could cause damage to Cellebrite is impossible, and they've provided clear reason why it is impossible to prove.

Maybe, but an app that does what Moxie suggests is malware in my book.

I don't think Signal will do that though, if it does, it will most likely get kicked out of every store and the company will most likely end up in well-deserved legal trouble, as if MOB wasn't shady enough...

As someone else said, it is more likely to be a way to discredit evidence extracted by Cellebrite.

cellebrite is exactly the kind of threat signal is intended to foil. if you want cellebrite reading your messages, you are not the target userbase of signal. this is like complaining that “rm” deleted your files.
Even if I am not the target userbase of Signal, which is partly true, by using it, I benefit those who really need it for its privacy features.

The millions of users like me who do nothing sensitive with it add bulk to traffic, making it harder to single out "interesting" data. I mean, for example, if only criminals used Signal, just having the app will get you a lot of attention from the police, as it happened with Encrochat.

There are better ways to transfer contacts and photos. You trust the cell company to do it? To not maintain your / her data? To not share with law enforcement? Your threat model may be different than you realize.
You are not involved in my family. I'm well enough to determine what the threat model should be for my mother as she has trusted me to do so.

As it stands, Signal is more of a threat to her well being than anything else.

Ask her to uninstall it before going for upgrade. Then reinstall it remotely by using Google App store online - you can push installations to specific handset on the account.
Cellebrite is a digital intelligence company.

Not a single mention of carrier or consumer tools, but lots about analyzing your data.

I guess your cell phone company feeds every cell phone they work on to some centralized data repository (out of jurisdiction of your current locale) to be analyzed is what sounds like is going on.

You've not done enough research then. Cellebrite has been around for ages. When I worked at radioshack, we would use them to transfer data from old phones to new ones. They did not connect to the internet at the time.

These machines are still used for this purpose. I don't doubt they're also used for surveillance or tracking. But they're not only used for that.

You're speculating as to what the phone companies do with the machines, especially given that it would be incredibly illegal to do so and trivial to whistleblow and thus a huge risk to the companies to do this on a widespread basis. Please provide proof instead of contributing to hysteria.

It does not brick the device. It merely makes the reports it creates inaccurate. Your dear old mum won't care about that.
And where does Moxie say that's what the files do? You're speculating.
All of this could be avoided if you were part of a different network. One where you can connect with several open source clients to the server, and choose a client that didn't behave like this. One where you could save your history from the client, if you wished to do so.

You chose to get into a captive ecosystem; Signal's code-dump "look but don't touch" (well, clientside, serverside was closed source for a year). Signal's "our way or the highway".

if you re so lax about your data security, why do you use signal
Signal isn't going to do that. They just said they could do that. If you look at how they worded it, they could just drop empty files that literally do nothing (even to Cellebrite).
I now know what my lawyer would say if a phone crack by Cellebrite was introduced into evidence.
As we seem to be discussing the Gizmodo article in addition to the post from Moxie, I'm going to copy & paste my thoughts from the other thread:

While this report is entertaining to read, I have to wonder about possible downstream repercussions of the implications within the last paragraph; if you're in police custody or worse and your Signal app contains some 'aesthetically pleasing files' that interfere with the authoritarian software, it's likely going to be your ass on the line for all sorts of charges.

Don't get me wrong, the implication is enough to discredit Cellebrite, but my initial thoughts are that either this bluff gets called, or there's a non-zero risk of someone landing in even hotter water down for using Signal. Of course, this assumes that you're not already neck-deep for having encrypted data and upholding your right to privacy.

I don't see why it would be your fault. You or your lawyer can point to this very blog post to demonstrate that any interference with Cellebrite was not intentional on your part.
Could a party not argue that knowingly using software with functionality that interfered with tools such as Cellebrite was an offence of some sort? I would hope that such a take wouldn't stand, but technology laws can be pretty archaic- see exporting cryptographic software.
If using signal opens you up to more trouble because it interferes with an authoritarian regimes power over you, then signal and what it does to a cellebrite device is hardly a primary concern.

If you live in a country with the rule of law, then just using an app doesn't make you guilty of anything. The fact the this security feature has been publicly declared puts the onus on cellebrite and the police using their devices, to ensure relevant patches are applied at their end to prevent these features from working. These devices are already bypassing android and iOS security features to do what they do, this is no different.

To me these files are essentially similar to a passcode on a device.

It's so satisfying when the good guys significantly outskill the bad guys and humiliate them. This made my day.
Where can i find copies of those aesthetically pleasing files, my files are ugly
This is a tough one for me. Feels a little tit-for-tat. I don't support cellebrite. But seems like cellebrite was off the radar for Signal until it recently added Signal support. Beyond advertising I'm not sure what this all accomplishes - probably a better cellebrite product.

I'd say if Signal wanted to have an impact then silently adding support that breaks cellebrite would be more effective.

This only breaks capabilities of whomever else has the outdated package. Callebrite no doubt has kept up to date. The "van" this dropped from was probably a garbage truck