Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption The Courts Crime

Signal's Cellebrite Hack Is Already Causing Grief For the Law (gizmodo.com) 109

An anonymous reader quotes a report from Gizmodo: A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking. Ramon Rozas, who has practiced law for 25 years, told Gizmodo that he was compelled to pursue a new trial after reading a widely shared blog post written by the CEO of the encryption chat app Signal, Moxie Marlinspike. It was just about a week ago that Marlinspike brutally dunked on Cellebrite -- writing, in a searing takedown, that the company's products lacked basic "industry-standard exploit mitigation defenses," and that security holes in its software could easily be exploited to manipulate data during cell phone extraction.

Given the fact that Cellebrite's extraction software is used by law enforcement agencies the world over, questions have naturally emerged about the integrity of investigations that used the tech to secure convictions. For Rozas, the concerns center around the fact that "Cellebrite evidence was heavily relied upon" to convict his client, who was charged in relation to an armed robbery. The prosecution's argument essentially turned on that data, which was extracted from the suspect's phone using the company's tools. In a motion recently filed, Rozas argued that because "severe defects" have since been uncovered about the technology, a "new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself."
"I think it's going to take a while to figure out what the exact legal ramifications of this are," says Megan Graham, a Clinical Supervising Attorney at the Samuelson Law, Technology & Public Policy Clinic with Berkeley Law School. "I don't know how likely it is that cases would be thrown out," she said, adding that a person who has already been convicted would likely have to "show that someone else identified this vulnerability and exploited it at the time" -- not an especially easy task.

"Going forward, I think it's just hard to tell," Graham said. "We now know that this vulnerability exists, and it creates concerns about the security of Cellebrite devices and the integrity of evidence." But there's a lot that we don't know, she emphasized. Among Graham's concerns, she said that "we don't know if the vulnerability is being exploited," and that makes it difficult to discern when it could become an issue in past cases. "I think there will be cases where defense attorneys are able to get judges engaged [on this issue]. They will present the security concerns, worries about manipulated evidence, and it might be persuasive. I think there will be a wide array of responses when it comes to how this plays out in cases," she said.
This discussion has been archived. No new comments can be posted.

Signal's Cellebrite Hack Is Already Causing Grief For the Law

Comments Filter:
  • by sxpert ( 139117 ) on Wednesday April 28, 2021 @08:05AM (#61323388)

    The completely unrelated

    In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

    This reads as "signal will store files with a bunch of vulns targeting the cellebrite box"

    • by DarkOx ( 621550 )

      Clearly; but what are the ramifications?

      The standard can't be the software systems law enforcement used during the investigation have to be absolutely free of exploits, especially not retroactively. If that standard is used than essential no digital evidence gathering will be possible. There is has been a 'local exploit' published for just about every software stack in use anywhere.

      Courts are going to have to allow this evidence to be impeached though if there actually is valid reasons to suspect some kind

      • Clearly; but what are the ramifications?

        These are bait for the cellebrite software to slurp up. The effect is unknown and could be anything from the software crashing, to it completely bricking the machine. There are no laws against booby-trapping files that an intruder (software or human) may happen upon.

        • Mantrapping (but on a computer).

          Should work just fine like all the other versions of the same crimes on the books for "on a computer".

      • by sjames ( 1099 )

        The standard can't be the software systems law enforcement used during the investigation have to be absolutely free of exploits

        To some extent, it must be. The standard for criminal conviction can't be lowered to "pretty sure". Given the way that police investigations tend to be an advanced form of pin the tail on the donkey, pretty much every criminal has strong motive to make someone (anyone) look more likely to be guilty than they do.

        It's fairly widely understood that there are more exploits out there than there are published reports about exploits and that there is a high probability that someone somewhere discovered an exploit

    • "the last paragraph of Moxie's text is telling:"

      I'm missing something here, like, what is the context for this paragraph?

      • what is the context for this paragraph?

        Exploiting vulnerabilities in Cellebrite [signal.org]

        • Yes, I know the source. But WTF is the context? The source only says "this is unrelated." WHY is this software downloading "aesthetically pleasing" files? Downloading from whom? Downloading to where? Downloading for what purpose? Why do we care if they are "aesthetically pleasing"?

          I suppose if I knew more about the software this may be clear, but as written, the paragraph seems to think that I can guess the context, and I can't.

          • by ChoGGi ( 522069 )

            > WHY is this software downloading "aesthetically pleasing" files?
            For use in exploiting the Cellebrite device
            > Downloading from whom?
            I'd imagine signal.org or associated servers
            > Downloading to where?
            Your phone's app storage
            > Downloading for what purpose?
            To use in exploiting the Cellebrite device
            > Why do we care if they are "aesthetically pleasing"?
            Better than being ugly looking?

    • by AmiMoJo ( 196126 )

      But what will they do? It's hard to see how they could actually tamper with evidence without breaking multiple laws.

      He seems to think that the mere existence of these vulnerabilities or a single bit of software that exploits them in some undefined way could be enough. By that logic though the fact that it runs on Windows, and Windows has security vulnerabilities and viruses, should have already had a similar effect on it.

      Courts generally won't accept "but the police computer might have had a virus that down

      • The mere existence of data taken from an electronic device introduced as evidence entitles the defense to examine the device which produced it, because the claim that the device is accurate is also considered evidence

        See my citations in other posts on this story.

        • by AmiMoJo ( 196126 )

          Agreed, and I think that in general any device used to gather evidence should be available for examination, including source code.

          Let's say the defence finds a critical vulnerability that allows an attacker to place an arbitrary text message on the victim's phone. How likely is the court to view that as reason to doubt any incriminating text messages recovered?

          Considering that Cellbrite needs the device to be unlocked to work it seems like there would be ample opportunity for the cops to simply plant fake t

          • How likely is the court to view that as reason to doubt any incriminating text messages recovered?

            That would seem to be the heart of the matter. I don't know the actual standard. Reasonable suspicion? Probable cause? Reasonable person?

      • by Anonymous Coward

        ALL OSs have viruses and vulnerabilities. What they (prosecution) would need to show the courts to prevent a retrial is:
        Did Signal perform the expected due diligence within industry norms to ensure that their software was free of compromises?
        Did the police department perform the expected due diligence to ensure that the computer was up-to-date with regards to software, security patches, virus & malware protection, etc.?
        Did the police department perform appropriate trusted-chain procedures to ensure tha

    • The mere suggestion that something may or may not happen probabilistically, at random, in your imagination, is enough to make people think twice about Cellebrite. If Signal can do it, the implication is that, anyone with the technical mean can do it.

      Even if these files were filled with random bytes, there's still a non-dismissible chance that it could cast doubt upon any evidence collected by Cellebrite, and this doubt alone will cause enough additional work for both Law enforcement, that they'll start loo

  • Defective by Design (Score:2, Interesting)

    by Anonymous Coward

    Cellebrite is defective by design. Law Enforcement is not interested, and is NEVER interested, in getting to the truth. It is only interested in winning convictions to support re-election for the politicians that bring in the cash from the military industrial complex.

    Intentional weaknesses that allow data from a phone extraction to be manipulated, especially in a difficult to detect way, are the obvious solution to the problem of facts and truth getting in the way of convictions. It is therefore reasonable,

    • Protecting software against a malicious user with direct access to the computer it's running on is a lost cause.

      If you out of principle discount all testimony of police in your country you should consider emigrating. At some point trust is required, not everything can have independent proof.

    • Law Enforcement is not interested, and is NEVER interested, in getting to the truth.

      "NEVER" can be refuted by a single counter-example. "Rarely if ever" or "practically never" is harder to refute. If you want to be taken seriously, please don't be so easy to disprove.

      Most Slashdotters can think of a counter-example and can stop reading now. For the benefit of the A. C. or anyone else who needs even a single counter-example to open their eyes, do a web search for the term "conviction integrity unit" to find many examples of prosecutors who go back to correct the false prosecutions of the

      • This. Precision with language is crucial for effective communication. Words have meanings.

      • do a web search for the term "conviction integrity unit" to find many examples of prosecutors who go back to correct the false prosecutions of their predecessors.

        Being a cynic I would say they do that to show how much better they are then their predecessors and not because they care about wrong convictions.
        They still want to convict as many people as possible to make their numbers look better so they can stay in power longer.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          It may be hard to prove motive, but it's trivial to show that 98% of all casesat the federal level are plead out instead of tried.

          Those people aren't all guilty; they've been coerced by agents of the State. Statistics alone should suggest something is VERY wrong.

  • If you require professional help to remotely hack your spouseâ(TM)s phone, contact extremeinfiltrators@gmail.com
  • Like people with more than on DNA in or on their bodies.
    Like DNA sequencing using a game of blend-the-DNA, replicate it a billion times, then puzzle one together that might or might not get all he countless huge repetitions in our chromosomes together the right way again.
    Like most fingerprints being too distorted and incomplete to give a reliable match.
    Like the flaws of human memory making witnesses dangerously wrong ans easily manipulated, even into false memories. Like playing "Who in this lineup of peopl

    • *more than ONE DNA.

      To clarify: I mean chimeras, people with transplants (including hair transplants), on just simple things like spit and cum stains.

    • Funny how time passes and the instruments change, but the song remains the same.

      One of my all-time favourite cartoons appeared in the National Lampoon about 25 years ago. It shows an old lady standing with a cop, looking through a two-way mirror to pick a suspect out of a police lineup. In the lineup: a goose, a nun and a black guy.

    • But a harsh critique of our legal system!

      Can you moderatrolls please turn on your brains and the awareness of your own triggers before you read and "moderate"?? I was speaking *for* you!

  • this [theverge.com] hasn't made /. yet.

    40+ years of tough on crime means it's very easy to get convictions out of people. Add to that bad software you can't examine and you've got a recipe for disaster.
  • defense rights and chain of custody issues to deal with.
    What is the chain of custody like for an phone that has this done to it?

    Does the defense have the right to have there own Cellebrite tools so they can do on there own?

    Does the defense have the right to source code / full image dump and not just what the cops keep?

    What if say apple helped the cops on the case in any way can an court order them to give the the same help to the defense?

    • Defense has the right to that specific device and the source code/binary running on that device.

      The cops are required to keep the device in order to introduce it as evidence. If there's the possibility that it would be used in litigation, they have to keep it, period. They can't just sell it off--it might be exculpatory.

      Apple can help anyone or no one, as they please, with the exception of having to provide the source code on court order to facilitate the evaluation of evidence.

      These are all cited in my oth

      • To go even further, if a device is the subject of court proceedings as evidence, or MIGHT become evidence in potential litigation, they can't so much as update the firmware without violating 18 U.S. Code 1519: Destruction, alteration, or falsification of records in Federal investigations and bankruptcy.

  • "I don't know how likely it is that cases would be thrown out," [said Megan Graham, lawyer associated with Berkeley Law School], adding that a person who has already been convicted would likely have to "show that someone else identified this vulnerability and exploited it at the time" -- not an especially easy task.

    While the courts may actually work that way, and has an interest in not getting into infinite loops of rehearings on frivolous claims, it seems to me (a non-laywer) that the burden of proof is su

  • by ytene ( 4376651 )
    The United States likes to use expressions such as, “The Rule of Law” and “Nobody Is Above The Law”...

    But one of the things that interested me about Moxie Marlinspike’s analysis of the Cellebrite tool was his reference to finding files there which appear to have come from Apple’s iTunes. This suggests that at least part of the ‘route in’ that the program uses is to impersonate iTunes in some way.

    But that, in turn, suggests that the Cellebrite application
    • Your comment is better worded than my comment.

      "Secondly, if law enforcement are willing to break the law to get in to a phone, what else are they willing to break the law to do?"

      Isn't there already an answer to this question? "Qualified immunity". Cops literally get away with physical assault, sexual assault (forced cavity search, no gloves, no lube, high risk for lifelong STDs) and murder. Some lawsuits have popped up but they are shot down in court because apparently cops can do no wrong and when they do

      • by ytene ( 4376651 )
        I was actually thinking more along the lines of parallel construction [wikipedia.org].

        For those unfamiliar with the term, this is a legal definition in which a police force or investigating agency may use illegal means [for example phone taps, IMSI captures, etc] to investigate a suspected criminal. If the activities performed by the police in this manner are illegal, they cannot use the evidence they obtain in a court case, because the defence would be able to cross-examine and should, if competent, be able to quickly
  • Cellebrite is doomed, The whole point is chain of evidence is preserved. For disk drives - there is hardware that does a 1:1 copy. For C - the initial backup (meant to be a forensic copy) is a fail For C, the reports are also a fail - both can be tricked to run executable's. Broadly C's software is not trustworthy in ANY forensics role, or serious evidence situation. It will take them a lot to fix up such sloppy code, and come up to Linux Forensic standards like https://linuxhint.com/top_comp... [linuxhint.com] Something

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...