Best of 2020: Signal App Crypto Cracked, Claims Cellebrite
As we close out 2020, we at Security Boulevard wanted to highlight the five most popular articles of the year. Following is the second in our series of the Best of 2020.
The Signal app has been cracked—its end-to-end encryption is broken. At least, that’s the preposterous claim made by infamous forensic-tool vendor Cellebrite.
But the old maxim still applies: No matter how good your technology, if your adversary controls the physical device, it’s game over.
Signal honcho Moxie Marlinspike (pictured) is not going to be a happy bunny. In today’s SB Blogwatch, we get physical.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jazz carols.
What’s the craic? Omer Benjakob and Oded Yaron report—“Firm Claims It Can Now Break Into Encrypted Signal App”:
Cellebrite can now break into Signal, an encrypted app considered safe from external snooping, it claimed. … Cellebrite’s phone-hacking technology is intended for law enforcement agencies. … However, critics have long slammed the company for selling its wares to states with poor human rights records.
Cellebrite’s flagship product is the UFED (Universal Forensic Extraction Device), a system that allows authorities to unlock and access the data of any phone in their possession. … The company announced that the analyzer [now] allows clients to decode information and data from Signal.
In an earlier, now deleted, version of the blog post, the company went as far as to say: “Decrypting Signal messages and attachments was not an easy task. It required extensive research on many different fronts to create new capabilities from scratch.” [It] included a detailed explanation of how Cellebrite “cracked the code”: by reviewing Signal’s own open source protocol and using it against it.
Cellebrite is not currently subject to independent oversight. It conducts its own examinations and maintains its own blacklist of countries that it is “forbidden” to sell technology to, [said] sources with knowledge of the company.
And Nick Farrell adds—“Cellebrite claims it can break into Signal”:
Signal, owned by the Signal Technology Foundation, uses [an] encryption system called Signal Protocol, which was thought to make it nigh-on impossible for a third party to break into a conversation or access data being shared on the platform. It does so by using end-to-end encryption.
According to Cellebrite’s announcement last week, “Law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities … to stop police from reviewing data. … In an earlier, now deleted, version of the blog post, the company said: “Decrypting Signal messages and attachments was not easy. It required extensive research on many different fronts.”
So how? Cellebrite’s Alon Ganor blogged thuswise, before the company ripped away the juicy bits—“Cellebrite’s New Solution”:
Signal keeps its database encrypted using SqlScipher, so reading it requires a key. We found that acquiring the key requires reading a value from the shared preferences file and decrypting it using a key called “AndroidSecretKey”, which is saved by an android feature called “Keystore.”
We simply ran SqlCipher on the database with the decrypted key and the values 4096 and 1 for page size and kdf iterations. By doing so we managed to decrypt the database. … Linking the messages and the attachments requires parsing both the “sms” table and another table called “part.”
After linking the attachment files and the messages we found that the attachments are also encrypted. … We looked again into the shared preferences file and found a value under “pref_attachment_encrypted_secret” that has “data” and “iv” fields under it. The “data” field contains an encrypted json file, that … contains three keys. … Signal uses AES encryption in CTR mode. We used our decryption key with the AES encryption in CTR mode and decrypted the attachment files.
But let’s support our gallant law enforcement officers, yeah? Tom McKay and Dhruv Mehrotra expand the story—“Schools Are Buying Phone-Hacking Tech”:
These invasive phone-cracking tools are not only being purchased by police departments. … School districts have been quietly purchasing these surveillance tools of their own for years.
In March 2020, the North East Independent School District, a largely Hispanic district north of San Antonio, wrote a check to Cellebrite for $6,695 for “General Supplies.” … Similar accounting documents from eight school districts, seven of which are in Texas, [show] that administrators paid as much $11,582 for the controversial surveillance technology. … Together, the districts encompass hundreds of schools, potentially exposing hundreds of thousands of students to invasive cell phone searches.
In  the U.S. Supreme Court ruled that schools do not necessarily need a warrant to search students so long as officials have a reasonable belief a student has broken the law or school policy. … Cell phones are deeply personal items, and it’s easy to imagine how embarrassing and potentially catastrophic it would be if an administrator or school resource officer used a Cellebrite to download students’ private text messages, photos, social media posts, location history, and more.
Ultimately, [we] turned up more questions than answers. … Who is subject to these searches, and who is carrying them out? How many students have had their devices searched and what were the circumstances? Were students or their parents ever asked to give any kind of meaningful consent, or even notified of the phone searches in the first place? What is done with the data afterward?
Will this put people off Signal? Not on your nellie, says BAReFO0t:
Make no mistake, Moxie’s gonna be all over this and fix it ASAP, if it isn’t merely a lie for them backdooring the Android it runs on, like everyone else would do. … I don’t see how they could have broken perfect forward secrecy, unless the underlying cypher or key exchange had been broken. And that would have *way* bigger implications than just Signal.
So NoneSuch puts on an unspecified foreign accent:
Welcome to the age of fascism. You’re not actually guilty of anything, but we’re just gonna check your phone to be sure.
Wait. Pause. ronaldbeal says this is mountain made out of molehill:
Codswallop. … Their claim is that if they have access to your unlocked phone, they can crack the SQL DB where old messages are stored and read them.
If I, or anyone else has access to your unlocked phone, we could probably just launch the Signal app, and see your old messages. No where do they claim to break messages in transit. A big nothingburger.
What’s that old maxim? c1ue clues us in:
To be clear: There is no way to protect anything electronic from an attacker with time and money. The phones can be disassembled and their SSD memories copied — at which point all you need is to know the software architecture and you can run parallel attacks on the cloud against virtual copies.
Meanwhile, PPH is confused:
Why did they announce the capability? I don’t recall Churchill bragging about breaking Enigma during WWII.
Trigger warnings: Gurning drummer, semiquavers, Doctor Who.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: John S. and James L. Knight Foundation (cc:by-sa)