When I read the original blog post by Cellebrite, which is on archive.org [1], it left me scratching my head too. Signal is open source. They had access to the device to dump everything. Then they went through the source code to figure out how to decrypt the data. Just as this blog response says, they could’ve just opened the app and retrieved the contents (and even forwarded that to another device if they wanted).
So someone enthusiastically posted about wasting their time as if it was a technological achievement. Then someone (else?) realized that the long technical post sounded stupid and had it replaced.
And some people wonder where their tax money goes to — all these companies who are better at marketing themselves well as experts are getting free lunches!
> [...] Once the decrypted key is obtained, we needed to know how to decrypt the database. To do it, we used Signal’s open-source code and looked for any call to the database. After reviewing dozens of code classes, we finally found what we were looking for
> [...] After linking the attachment files and the messages we found that the attachments are also encrypted. This time, the encryption is even harder to crack. We looked again into the shared preferences file and found a value under “pref_attachment_encrypted_secret” that has “data” and “iv” fields under it.
Today I learned that I can do code cracking too...
"they could’ve just opened the app and retrieved the contents" is not really sufficient.
First, doing it manually through the app is not okay since it does not scale, you don't want to read a message, you want to retrieve and index all messages, and you might want to process many devices quickly.
Second, apps usually do not show the user all the information that's available - often there is extra metadata (which may be as important as the message contents) so you do want to decode the actual message database.
Third, doing it through the app might change things - the app may change state (for example, mark an unread message as read), send some notification to central servers, alter metadata, etc. So it potentially disrupts evidence, and that's not okay.
So the original blog post from Cellebrite makes all sense - if you do want to do forensics, then a tool that does all that is really a requirement, it's not wasting time.
As a forensic tool, it surely does, and such tools are both common and have their robust client base. I think the mistake in that article was to present a forensic tool as some kind of advanced code-breaking. I guess it sounds more exciting this way, but also kinda misleading - which is witnessed by the fact that BBC was totally misled about it.
Well starting a blog post by pointing out criminals are using it to communicate secretly and ending the post by concluding you can read it if you gain priviledged access to the device they're using to communicate is a bit of a let-down to be honest.
Now if they were able to break the Keystore itself then they might be on to something but as it is it requires convincing criminals to give up their phone and their password. If you translate this to a physical analogy people's reaction would be 'no shit', but because it's digital you can apparently get away with it.
I agree that both the original post and the media coverage of this is extremely misleading.
> So someone enthusiastically posted about wasting their time as if it was a technological achievement.
I think there's plenty of value and achievement in understanding a program's functionality, even when the source is fully available to you.
We all (presumably) agree that source code isn't self-documenting and that understanding someone else's work usually involves a lot of individual comprehension and context; I read this blog post as someone (diligently) describing their mental process as they tried to understand Signal's internal formats. As others have pointed out, there are oodles of "legitimate"[1] reasons for doing so.
[1]: From the perspective of LEO and the legal system, anyways.
I agree as far as the content of the article is concerned. I think the main problem with it was its tone. I think if they had approached it the way you described, someone just going into detail about how they analyzed an unfamiliar application, it would have been fine. As written, it feels like a new programmer bragging to his friends about how he got "hello, world" to compile.
In the usecase I'm particularly familiar with (law enforcement, specifically of violent crimes), it's pretty valuable to minimize the amount of manual data handling investigators have to do. The State's Attorneys office/US Attorneys office/Prosecutor's office have finite resources and have to be selective about the cases they decide to spend resources on. Even if the correct suspect(s) has(have) been identified and arrested, the case can be rejected if the decision-making prosecutor thinks the evidence isn't strong enough or defending the evidence will be too difficult because evidence collection was done in a nonideal way. It may be possible to forward Signal messages to another device, but A) that just adds more links in the chain that can be challenged, and B) most detectives don't know that's an option or have any idea how to do it, so you'll regularly see sloppy stuff like photos taken by the detective of a phone displaying the messages of interest.
It's just a lot easier for the investigator to just plug the phone into a Cellebrite UFED analyzer and extract as much as is covered either by their search warrant or by the signed consent form of the phone's user(s), and it's a lot easier to defend in court, as it eliminates room for accusations that investigators cherry-picked messages and data that look incriminating out of context.
TL,DR: Even if it's not an impressive feature technologically, it's still a valuable feature to some of Cellebrite's main customers.
Having some familiarity, how often do you think " ... and extract as much as is covered either by their search warrant or by the signed consent form of the phone's user" is an accurate description of what actually happens in the field?
Does a UFED even have a way of selectively extracting only what's covered by a warrant?
Are warrants usually granted that would be considered outrageous fishing trips by the more privacy aware of us here?
> all these companies who are better at marketing themselves well as experts are getting free lunches
Better than us, I presume? But unless you or I are prepared to do this work (to parse data from Signal and every other application out there), for the police, for other investigation agencies, for corporate and private investigators, for lawyers, for data protection officers etc., the vast majority of whom aren't programmers or reverse engineers, what's the problem if someone else is?
I agree with your post, except for this. It is NOT a waste of time to assert, once in a while, your power to examine, extract, and change anything running on your device.
Exactly. I've so far decrypted my own messages from two different apps because I needed some specific information that would've been too hard to find without RegExp-capable search. In both cases I was glad to find guides online explaining how to pull the database, get the decryption key and decrypt the database with the key.
It may seem trivial from a security perspective since it doesn't involve breaking any cryptography, just using a decryption key as intended, but in practice the ability to get a plain-text dump of all messages is very useful.
Using only the homeowner's house key and extensive key-sliding-into-lock reverse-engineering, I'm able to break into their home. Whitepaper coming soon.
I'm guessing some overzelouse 20 year old at cellebrite "hacked" signal and wrote a silly blog post that no one at the company reviewed and marketing was happy to have some engineering thing to blog.
to me what is embarrassing is that all of these major news outlets and professional journalists could not actually read the article and do some very basic research before blasting out to the public. It just really shows how low the bar is to get something published. I could blow my nose on YouTube and make stock picks based on where the bugger lands and I wouldn't be surprised if BBC Business picks up the breaking story. That's how low the bar is it seems. Sad.
> I'm guessing some overzelouse 20 year old at cellebrite "hacked" signal and wrote a silly blog post that no one at the company reviewed
More likely the opposite: Some engineer was tasked with adding Signal database handling, marketing got wind of it, and they went to town on blog posts and PR pieces about it.
Really though, they don't care that it's technically wrong. The target audience for this stuff isn't other engineers or technical people. It's their potential customers, who don't know the difference.
> It's their potential customers, who don't know the difference.
Their potential customers (forensic examiners not just in law enforcement, but also corporate investigators, incident response etc.) do know the difference. Being able to get data from the endpoint is exactly what they are after, because the alternative is that some poorly paid soul has to sit and photograph thousands of pages in numerous applications. Having access to the database saves time, reduces interaction with the exhibit and gets metadata which isn't shown on the phone.
Right, some private company posting a misleading blog post is one thing, hell, even small news blogs posting about it, I could understand. But a large news organization such as the BBC not even bothering to contact Signal to get a statement or their side of the story? What the hell... Someone should get fired over this.
> After getting the decryption key, we now needed to know what decryption algorithm to use. We went back to Signal’s open-source code and found this:
> Seeing that told us that Signal uses AES encryption in CTR mode. We used our decryption key with the AES encryption in CTR mode and decrypted the attachment files.
It’s shameful that one of the worlds best journalistic sources didn’t even bother to reach out to Signal to get comment on a story they ran about them
I feel like a lot of today’s mistrust of news stems from publications not verifying sources, or checking evidence, or at least scrutinizing what others are saying.
Related: the Gell-Mann effect. You read a newspaper story on a topic about which you are knowledgeable, and get mad at how wrong they've got everything. Then you turn the page and read the next story, on which you are not an expert, and take it at face value.
In my circles this gets me into arguments all the time. Everyone reads a book, everyone but me likes it. I point out how one section I know a lot about is deeply wrong, everyone else says versions of "well other than that part it's a great book!"
I wish LW-style rationalist circles didn't attract such obnoxious people, because I don't know of any other collection of people who recognize and try to adjust for things like this.
Thank you for this! This happens to me all the time, e.g. when the label planes (eg mixing f-16 and f-18) in pictures wrong. And every time I wonder what they get wrong where I'm not knowledgeable.
I like this meme, it is fun and so on, but I have to admit, it is not really a thing: I am a professional physicist and journalists at respected outlets are pretty good. NPR, PBS, NYT all do a pretty great job at science journalism. More often than not the rare complaints from professional scientists are more self-aggrandizement lacking awareness of the pedagogical constraints of popular press.
Nitpick: Its Gell-Mann amnesia, Michael Chrichton's name for Murray Gell-Mann's amnesiatic behavior, not an effect discovered or promoted by Gell-Mann.
I’m just as concerned about:
> According to one cyber-security expert, the claims sounded "believable".
One anonymous source at the topic of the article that bolsters the claim, then all the experts who were willing to attach their names to their words all temper the articles claim are towards the end of the article.
The Signal blog post says from the beginning that:
> Since we weren’t actually given the opportunity to comment in that story
So it may just mean they were not given enough time to respond before publication, or even that they were contacted post-publication. In the race to front page "breaking news" the responses are expected to be published as updates to the story.
I've been on the receiving end of these calls. "This is so and so reporter from X News and we're running a story about X. Please call us back before 2pm so we can get a response."
How and when they contacted cellebrite/signal is important, but even when you see "refused to comment" there really isn't a timestamp for when contact was attempted/initiated. Is there a reason for this?
Additionally shameful:
- they haven't printed a retraction yet
- the technology reporter in question doesn't understand the tech well enough to recognize the error, even when somebody states it explicitly (https://mobile.twitter.com/janewakefield/status/134141965721...)
It isn’t shameful. It is yet another indicator that the journalism industry is creating the intellectual equivalent of Animal Crossing.
It’s a time waster that entertains- not a reflection of truth. How could any business be considered “the best” in its field and create such a shitty product? Simplest explanation: they are not trustworthy and never were.
This is not due to incompetence. This is done with the objective to influence the public opinion of cryptographic tools so that people will stop using them. The system has no way of actually breaking encryption, that's why it is focusing on the other ways to circumvent it - one of them being making most people (non-experts) believe that it doesn't work anyway so they will stop using it.
This is a focused campaign, this is not just random occurence of incompetence.
I used to work at a traffic signal company. We got bad press whenever somebody "hacked" our infrastructure. It was always a super sophisticated "default password attack".
I tried to get the default password changed to unique-per-unit randomly chosen uuid, just to be so obnoxious as to convince the customer to set their own password. Encountered resistance of the "but then they'd need to be retrained" sort.
I wish I could say we didn't deserve the bad name, but we kinda did.
> I feel like a lot of today’s mistrust of news stems from publications not verifying sources
First, a nitpick: that is a thought not a feeling: you didn't state how it made you feel, you stated an idea.
Moving on... That's not why people mistrust the media. They mistrust the media because they are told to by politicians seeking to discredit journalism and control the narrative.
Double nitpick: People often colloquially use "I feel like" in place of "It is my opinion that" and it doesn't even strike me as literally wrong to describe an opinion as a feeling...
And do you think this episode is evidence of trustworthiness on the part of the BBC?
I agree with you that politician sow distrust, but poorly researched pieces are the fault of no one but the journalists.
I am a counterexample to your main point. I distrust most media sources because I've not once seen one present rigorous, transparent, verifiable research about a current event of interest to me.
I think I've seen every media source I've followed get significant facts wrong about things I know well.
I try to fight back against Gellman amnesia in my own head.
That is a fun presentation, although the title is misleading because it's 99% about the Web PKI which is orthogonal to SSL (and TLS). TLS doesn't care at all why you trust these certificates, if you want to trust certificates so long as the public key contains the decimal digits 42069 that's fine.
Even PKIX (the IETF's profile for X.509 on the Internet) is orthogonal to TLS as designed, although in practice you're creating a world of pain for yourself if you decide you do want TLS but you don't want PKIX since the two have grown next to each other for decades.
Anyway, almost all of Moxie's talk is about the Certificate Authorities in the Web PKI, and not about SSL/TLS per se at all. It's about his attempt (Convergence) at multi-perspective peer validation for authenticity to eventually replace Certificate Authorities. Could that have worked? Maybe, sort of. It never went anywhere much.
Of course in hindsight we can't blame Moxie for not guessing what will happen next - I expect few if any of us spent last Xmas thinking "Better enjoy this, next Xmas will be a totally different ball game because of a pandemic virus" either.
> Articles about this post would have been more appropriately titled “Cellebrite accidentally reveals that their technical abilities are as bankrupt as their function in the world.”
> If you have your device, Cellebrite is not your concern.
But if the attacker has a 0day, which likely all the big players do, they don't need your physical device. Which means signal will do squat to protect your data in that case.
All nation-state governments are just buying 0days from companies like NSO Group and Zerodium.
The question is are you a valuable enough asset that they are gunna burn their $50M 0day just to get your device.
I think Signal is pretty safe from such things. Better than for example Whatsapp. Which seems to be where a majority of these nation-states using their 0days and exploits on.
> All nation-state governments are just buying 0days from companies like NSO Group and Zerodium.
USA/Russia/Israel for sure have these programs.
> The question is are you a valuable enough asset that they are gunna burn their $50M 0day just to get your device.
You are at least an order of magnitude overshooting the price. Also what is the percentage of Android phones not on the latest security patches and pretty much wide open for known 0days? For sure 90%+.
This tech is available for anyone with enough money, there are plenty of bad guy rich people. An actual investigative journalist can easily make an enemy of a rich person.
> I think Signal is pretty safe from such things.
You base this information on what? If someone is executing code as root on your phone they can absolutely use the method describe in the Cellebrite article.
If anyone has access to your device, your data can't be protected, don't matter if physical or remote access.
The attacker could simply log all your passwords, so there is nothing signal nor any other software could to.
Those features help against Cellebrite but not against actual 0days which can read incoming messages in real-time. If the NSO has a rootkit installed on your phone, it doesn't matter that Signal is shredding messages after you read them.
Some links in most chains will have some weakness or other. So what?
That does not mean that there is no value in the strong links.
You might as well say "But if the attacker has a sniper, which likely all the big players do, they don't need to read you communications to get you, they can just shoot you from across the street. Which means Signal will do squat to protect your life in that case."
Readit News
So someone enthusiastically posted about wasting their time as if it was a technological achievement. Then someone (else?) realized that the long technical post sounded stupid and had it replaced.
And some people wonder where their tax money goes to — all these companies who are better at marketing themselves well as experts are getting free lunches!
[1]: https://web.archive.org/web/20201210150311/https://www.celle...
> [...] Once the decrypted key is obtained, we needed to know how to decrypt the database. To do it, we used Signal’s open-source code and looked for any call to the database. After reviewing dozens of code classes, we finally found what we were looking for
> [...] After linking the attachment files and the messages we found that the attachments are also encrypted. This time, the encryption is even harder to crack. We looked again into the shared preferences file and found a value under “pref_attachment_encrypted_secret” that has “data” and “iv” fields under it.
Today I learned that I can do code cracking too...
First, doing it manually through the app is not okay since it does not scale, you don't want to read a message, you want to retrieve and index all messages, and you might want to process many devices quickly.
Second, apps usually do not show the user all the information that's available - often there is extra metadata (which may be as important as the message contents) so you do want to decode the actual message database.
Third, doing it through the app might change things - the app may change state (for example, mark an unread message as read), send some notification to central servers, alter metadata, etc. So it potentially disrupts evidence, and that's not okay.
So the original blog post from Cellebrite makes all sense - if you do want to do forensics, then a tool that does all that is really a requirement, it's not wasting time.
Now if they were able to break the Keystore itself then they might be on to something but as it is it requires convincing criminals to give up their phone and their password. If you translate this to a physical analogy people's reaction would be 'no shit', but because it's digital you can apparently get away with it.
A what?
> So someone enthusiastically posted about wasting their time as if it was a technological achievement.
I think there's plenty of value and achievement in understanding a program's functionality, even when the source is fully available to you.
We all (presumably) agree that source code isn't self-documenting and that understanding someone else's work usually involves a lot of individual comprehension and context; I read this blog post as someone (diligently) describing their mental process as they tried to understand Signal's internal formats. As others have pointed out, there are oodles of "legitimate"[1] reasons for doing so.
[1]: From the perspective of LEO and the legal system, anyways.
It's just a lot easier for the investigator to just plug the phone into a Cellebrite UFED analyzer and extract as much as is covered either by their search warrant or by the signed consent form of the phone's user(s), and it's a lot easier to defend in court, as it eliminates room for accusations that investigators cherry-picked messages and data that look incriminating out of context.
TL,DR: Even if it's not an impressive feature technologically, it's still a valuable feature to some of Cellebrite's main customers.
Does a UFED even have a way of selectively extracting only what's covered by a warrant?
Are warrants usually granted that would be considered outrageous fishing trips by the more privacy aware of us here?
Better than us, I presume? But unless you or I are prepared to do this work (to parse data from Signal and every other application out there), for the police, for other investigation agencies, for corporate and private investigators, for lawyers, for data protection officers etc., the vast majority of whom aren't programmers or reverse engineers, what's the problem if someone else is?
I agree with your post, except for this. It is NOT a waste of time to assert, once in a while, your power to examine, extract, and change anything running on your device.
Cellebrite isn’t meant for use with devices you own; it’s meant for use with devices seized by law enforcement. I’m not so sure that qualifies here.
It may seem trivial from a security perspective since it doesn't involve breaking any cryptography, just using a decryption key as intended, but in practice the ability to get a plain-text dump of all messages is very useful.
It would be interesting if they did that to something restricted, like a Netflix movie.
should be Tum61d.
to me what is embarrassing is that all of these major news outlets and professional journalists could not actually read the article and do some very basic research before blasting out to the public. It just really shows how low the bar is to get something published. I could blow my nose on YouTube and make stock picks based on where the bugger lands and I wouldn't be surprised if BBC Business picks up the breaking story. That's how low the bar is it seems. Sad.
More likely the opposite: Some engineer was tasked with adding Signal database handling, marketing got wind of it, and they went to town on blog posts and PR pieces about it.
Really though, they don't care that it's technically wrong. The target audience for this stuff isn't other engineers or technical people. It's their potential customers, who don't know the difference.
Their potential customers (forensic examiners not just in law enforcement, but also corporate investigators, incident response etc.) do know the difference. Being able to get data from the endpoint is exactly what they are after, because the alternative is that some poorly paid soul has to sit and photograph thousands of pages in numerous applications. Having access to the database saves time, reduces interaction with the exhibit and gets metadata which isn't shown on the phone.
> After getting the decryption key, we now needed to know what decryption algorithm to use. We went back to Signal’s open-source code and found this:
> Seeing that told us that Signal uses AES encryption in CTR mode. We used our decryption key with the AES encryption in CTR mode and decrypted the attachment files.
Was this supposed to be satire?
I feel like a lot of today’s mistrust of news stems from publications not verifying sources, or checking evidence, or at least scrutinizing what others are saying.
Wish we could fix that
I wish LW-style rationalist circles didn't attract such obnoxious people, because I don't know of any other collection of people who recognize and try to adjust for things like this.
One anonymous source at the topic of the article that bolsters the claim, then all the experts who were willing to attach their names to their words all temper the articles claim are towards the end of the article.
https://www.bbc.com/news/technology-55412230
> Since we weren’t actually given the opportunity to comment in that story
So it may just mean they were not given enough time to respond before publication, or even that they were contacted post-publication. In the race to front page "breaking news" the responses are expected to be published as updates to the story.
It's 1:30pm.
It’s a time waster that entertains- not a reflection of truth. How could any business be considered “the best” in its field and create such a shitty product? Simplest explanation: they are not trustworthy and never were.
This is a focused campaign, this is not just random occurence of incompetence.
I tried to get the default password changed to unique-per-unit randomly chosen uuid, just to be so obnoxious as to convince the customer to set their own password. Encountered resistance of the "but then they'd need to be retrained" sort.
I wish I could say we didn't deserve the bad name, but we kinda did.
Deleted Comment
First, a nitpick: that is a thought not a feeling: you didn't state how it made you feel, you stated an idea.
Moving on... That's not why people mistrust the media. They mistrust the media because they are told to by politicians seeking to discredit journalism and control the narrative.
And do you think this episode is evidence of trustworthiness on the part of the BBC?
I agree with you that politician sow distrust, but poorly researched pieces are the fault of no one but the journalists.
I am a counterexample to your main point. I distrust most media sources because I've not once seen one present rigorous, transparent, verifiable research about a current event of interest to me.
I think I've seen every media source I've followed get significant facts wrong about things I know well.
I try to fight back against Gellman amnesia in my own head.
https://www.youtube.com/watch?v=UawS3_iuHoA
Even PKIX (the IETF's profile for X.509 on the Internet) is orthogonal to TLS as designed, although in practice you're creating a world of pain for yourself if you decide you do want TLS but you don't want PKIX since the two have grown next to each other for decades.
Anyway, almost all of Moxie's talk is about the Certificate Authorities in the Web PKI, and not about SSL/TLS per se at all. It's about his attempt (Convergence) at multi-perspective peer validation for authenticity to eventually replace Certificate Authorities. Could that have worked? Maybe, sort of. It never went anywhere much.
Of course in hindsight we can't blame Moxie for not guessing what will happen next - I expect few if any of us spent last Xmas thinking "Better enjoy this, next Xmas will be a totally different ball game because of a pandemic virus" either.
https://www.youtube.com/watch?v=tOMiAeRwpPA
<3
was also pretty good.
https://www.zdziarski.com/blog/?p=3717
But if the attacker has a 0day, which likely all the big players do, they don't need your physical device. Which means signal will do squat to protect your data in that case.
The question is are you a valuable enough asset that they are gunna burn their $50M 0day just to get your device.
I think Signal is pretty safe from such things. Better than for example Whatsapp. Which seems to be where a majority of these nation-states using their 0days and exploits on.
USA/Russia/Israel for sure have these programs.
> The question is are you a valuable enough asset that they are gunna burn their $50M 0day just to get your device.
You are at least an order of magnitude overshooting the price. Also what is the percentage of Android phones not on the latest security patches and pretty much wide open for known 0days? For sure 90%+.
This tech is available for anyone with enough money, there are plenty of bad guy rich people. An actual investigative journalist can easily make an enemy of a rich person.
> I think Signal is pretty safe from such things.
You base this information on what? If someone is executing code as root on your phone they can absolutely use the method describe in the Cellebrite article.
Above using the platforms secure storage for secrets, there is nothing more an app should do.
A communication has many links in a chain.
Some links in most chains will have some weakness or other. So what?
That does not mean that there is no value in the strong links.
You might as well say "But if the attacker has a sniper, which likely all the big players do, they don't need to read you communications to get you, they can just shoot you from across the street. Which means Signal will do squat to protect your life in that case."