An outstretched middle finger is an unmistakable signal, even if the finger is not shown at all, but only circumscribed in a flowery way.
Enter Moxie Marlinspike: All in one blog post published on Wednesday, which can confidently be described as punk PR, the developer of the popular messenger app Signal shows an IT forensics company from Israel the middle finger. The company is called Cellebrite, and it is best known among law enforcement officers, primarily for its solutions for unlocking and reading confiscated smartphones, which can also include signal chats. They are transmitted end-to-end encrypted, so they cannot be read remotely, but if investigators can read the source directly, the protection is gone.
–
For Marlinspike, who is committed to uncompromising commitment to signal users, this is where things get personal. Cellebrite’s customer list, Marlinspike begins his blog post, includes “authoritarian regimes in Belarus, Russia, Venezuela and China, death squadrons in Bangladesh, the military junta in Myanmar and oppressors in Turkey, the United Arab Emirates and elsewhere.” So far, so dark.
–
Fell off the truck
But then the tone of voice changes and the blog post suddenly becomes a rogue: »By a really unbelievable coincidence, I was out for a walk the other day when a small package fell from the truck in front of my eyes. As I got closer, the dreary company logo slowly became recognizable: Cellebrite. We found the current version of the Cellebrite software in the package. ”Underneath, Marlinspike placed a photo of a Cellebrite bag lying unpacked, undamaged and clean on the street.
–
This brought the unconventional app developer to the core: he examined the software, he writes, and found weaknesses in it that, according to his presentation, allow the forensics tool to be hacked and manipulated at will. A smartphone app can be programmed in such a way that it completely falsifies the results of every Cellebrite analysis, i.e. makes any evidence on a confiscated device unusable, he claims.
He immediately published a video to prove it, accompanied by scenes and quotes from the 1995 film “Hackers”, such as “mess with the best, die with the rest” (in the German version it says “Put on the best, and then you die like everyone else «).
–
Marlinspike writes that he “of course” likes to reveal details to Cellebrite – but only if the Israeli company for its part uncover all the weak points it uses to read devices, “now and in the future.”
–
The blog post closes with a paragraph that supposedly has absolutely nothing to do with what was previously described and that future versions of the Signal app will regularly load files into its memory: “These files are never used or interacted for anything within Signal never with Signals software or Signal data, but they look nice and aesthetics are important in software «. Loosely translated: Marlinspike threatens to convert Signal in such a way that the app sabotages the reading of the smartphone via Cellebrite software in the event of an emergency.
–
As entertaining as the blog post is and as much as it is celebrated in parts of the hacker community: Such a hackback could also backfire. According to well-meaning experts, Marlinspike painted a target on the app with the announced integration of a non-traceable cryptocurrency payment function in Signal. “This invites all kinds of government investigations and regulatory interference,” wrote cryptography expert Bruce Schneier, for example.
In addition, Marlinspike simply accepts the use of signals by criminals, as he indicated in the SPIEGEL interview in February. His reasoning: Criminals always have access to encrypted communication methods because they would take the necessary detours if necessary, while normal users need technology that is as easy to use as possible in order to communicate bug-proof.
–
US politicians use signal, but does that protect against interference?
So now there is also the threat of sabotaging a tool popular with investigators and thus making prosecution more difficult – it seems as if Marlinspike is practically begging to be summoned by the US Congress.
Even if US politics has so far only focused on the major online platforms and tries to induce them to take more stringent measures against abuse, for example by child rapists: Signal has grown significantly this year (how clearly, one does not want to say) and could meanwhile Have reached the relevance threshold of some MPs and senators.
So far he is happy that – as he said in February – many politicians, including the White House, are using the app themselves. But relying on them all to have enough fun to dismiss the taunts against Cellebrite as a joke could be risky.
–
–