Signal Says Cellebrite Cannot Break Its Encryption

Signal, in a blog post: Yesterday, the BBC ran a story with the factually untrue headline, "Cellebrite claimed to have cracked chat app's encryption." This is false. Not only can Cellebrite not break Signal encryption, but Cellebrite never even claimed to be able to. Since we weren't actually given the opportunity to comment in that story, we're posting this to help to clarify things for anyone who may have seen the headline. Last week, Cellebrite posted a pretty embarrassing (for them) technical article to their blog documenting the "advanced techniques" they use to parse Signal on an Android device they physically have with the screen unlocked. This is a situation where someone is holding an unlocked phone in their hands and could simply open the app to look at the messages in it. Their post was about doing the same thing programmatically (which is equally simple), but they wrote an entire article about the "challenges" they overcame, and concluded that "...it required extensive research on many different fronts to create new capabilities from scratch."

[...] What really happened: If you have your device, Cellebrite is not your concern. It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less "break the encryption" of that communication. They don't do live surveillance of any kind.

Cellebrite is not magic. Imagine that someone is physically holding your device, with the screen unlocked, in their hands. If they wanted to create a record of what's on your device right then, they could simply open each app on your device and take screenshots of what's there. This is what Cellebrite Physical Analyser does. It automates the process of creating that record. However, because it's automated, it has to know how each app is structured, so it's actually less reliable than if someone were to simply open the apps and manually take the screenshots. It is not magic, it is mediocre enterprise software. Cellebrite did not "accidentally reveal" their secrets. This article, and others, were written based on a poor interpretation of a Cellebrite blog post about adding Signal support to Cellebrite Physical Analyzer. Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail. This is not because they "revealed" anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad.

Quite a slam

[93 Escort Wagon]

So basically Cellebrite’s actual claim was “if we have an unlocked phone in our possession, we can copy the Signal texts off of it”.

Yeah, I can see why Cellebrite pulled that page down.

Re:

[Canberra1]

The PR claim, the reporting and oversimplification for a soundbite PR opportunity is depressingly common these days. Signal is correct - However - 1) Most mobile phones have remote backup, and if law enforcement (LE) gets its hands on that backup, you may be toast. Physical access may NOT be needed. Have you ever tried to delete your phones 'backups'? 2) Most applications are too chatty, and leave breadcrumbs lying about, or another, or have known, unfixed vulns. 3) Your phones modem chip is a black box wit

Re:

[WankerWeasel]

Celebrate and other tools can break the phones passcode in many cases though, which would give them access to Signal and the messages contained within.

Re:

[Impy the Impiuos Imp]

You'll forgive him for disbelieving in a made up word that seems to suggest celebrities are bri(gh)te.

Re:

[sudonim2]

That's why you a) use a password, not a swipe code or pin number, b) add a pin to Signal, c) add a password to Signal. Those three things can short circuit most everything you can throw at Signal; which is why Signal advises you to do all three.

Re:

[gweihir]

Indeed. "If we have an unlocked phone, we can use the unlocked features". Now, I can understand the BBC being incompetent and clueless here, after all, they are not supposed to be crypto or IT security experts. But Cellbrite should really know better than to hire people that operate on this low a level of relevant clue.

To go into the details:

[BAReFO0t]

Cellebrite had root.
Cellebrite programatically asked the secure password storage of Android give it the keys for Signal.
Then they just used Signal's code (as far as I can tell) to decrypt the files, using that key.

I *literally* did that exact thing, a week earlier. (Had to get the data off a broken phone and into a different format.) ... I guess I could make a lot of money off of the cluelessness of totalitarian governments too. ^^

Moral of the story: Signal runs on an unsecured, not trustworthy OS and hardware. There is nothing Signal can do about that. And that is OK, because its job is to secure the *communication*. Not keep the physical device from being physically accessed. That is your job.
If there are entities that threaten to make you unable to do that job, no smartphone will ever cut it. In that case you need specialized hardware made for actual spies in the field and world leaders and such. With hardware security up the wazoo.
Make sure the manufacturer isn't actually an intelligence agency though, because it is obviously the most obvious place for them to sit, to catch the most high-value targets. ;)

More info

[raymorris]

Most of what Barefoot said is true. A couple of additional points are relevant:

Yes, the Signal-specific part takes place after the phone is unlocked - which Cellebrite does before running the Signal module. So that's kinda like pointing out that Tesla's new self-driving feature requires that you first buy the car. Yeah, Tesla sells self-driving as part of a car, Cellebrite sells Signal message extraction as part of their mobile forensics toolset.

It's interesting to note that the way Signal's encryption is set up, it LOOKS like you need the user's Signal PIN in order to read the messages. But it only looks that way - the levels of indirection are such that message history is readable with the PIN. Which is typical of messaging apps like standard SMS/MMS messages. Signal touts security but doesn't really store the messages any more securely than a standard SMS app, not after Cellebrite showed how to read the messages.

> There is nothing Signal can do about that. And that is OK, because its job is to secure the *communication*. Not keep the physical device from being physically accessed. That is your job.

What Signal *could* do is actually encrypt the messages based on the user's passcode/PIN/whatever. (By sealing the AES key with the PIN, probably). That way people couldn't read the messages without knowing the passcode / PIN. A quick read of the code made it look like that's what they did. A more careful examination of the code reveals that the passcode doesn't actually protect anything.

Still a Hole

[crow]

This is still a security hole. I believe Signal keeps the texts and other content encrypted on the device. They could potentially have the app refuse to allow access on criteria set by the user. Something like requiring a passcode if the phone has been unlocked longer than some time, or better if the passcode hasn't been entered recently. Perhaps require the phone to be rebooted if there are too many bad attempts.

But if the attacker has the physical phone unlocked, then presumably they can alter the clock (or even do it with a fake cell tower without unlocking), and they can alter pretty much anything the OS is telling the app, so I'm not sure how reliably they could enforce such tactics. Short of requiring a passcode every time the app is used (which defeats the simplicity of it), I'm not sure what more they can really do.

Re:

[Anonymous Coward]

Short of requiring a passcode every time the app is used (which defeats the simplicity of it), I'm not sure what more they can really do.

Maybe they're planning to, and that could be why they changed their app to get people in the habit of entering the PIN.

Re:

[Bengie]

Encryption is turtles all the way down. At some point something has to supply the secret. This security is managed by the platform because if you can't trust the platform, you can't trust anything. If the platform says "show me what you got", nothing Signal can do about it.

Re:

[Mattcelt]

Encryption is turtles all the way down

This is an excellent way of expressing the concept.

If you're really good, you can bend it back so the last turtle stands on the back of the first. But that's the holy grail of encryption, as it were.

Re:

[UnknowingFool]

No system is entirely secure. In this case, if someone has access to an unlocked device, then the messages are more vulnerable. However, Signal’s point again is that Cellebrite has not cracked its encryption as they seem to claim.