The encrypted messaging app Signal claims to have found flaws in the software used by cybersecurity company Cellebrite.
The two companies have been at odds since Cellebrite claimed it hacked Signal’s secure messaging last year – a claim it has fiercely disputed.
In the latest argument, Signal boss Moxie Marlinspike joked that he acquired the Cellebrite system after it “fell from a truck” in front of him.
And, he claimed, his software was so faulty that it could easily be hacked.
“There is virtually no limit on the code that can be executed,” he wrote in a blog, suggesting that the loopholes could be used to access data, change settings, etc.
In a statement, Cellebrite said, “We are constantly striving to ensure that our products and software meet and exceed the highest industry standards so that all data produced with our tools is validated and scientifically reliable.”
Mr. Marlinspike said: “By a truly incredible coincidence, I was recently out for a walk when I saw a small package drop from a truck in front of me.
“Inside we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent hacking … and an oddly high number of cable adapters.”
Hinting at his motivations for the blog post, he said, “Their software is often associated with security circumvention, so let’s take the time to look at the security of their own software.”
And in a video loaded with satirical references to the cult 1995 movie Hackers, Mr. Marlinspike went on to show that he apparently executed a simple piece of code on a machine running Cellebrite software, which he said showed an easy way to compromise the company’s security system.
“It is possible to run any code,” he added, “and a true operating payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports ( maybe random) or exfiltrating the data from the Cellebrite machine. “
They say revenge is a dish best served cold – but in this case, it was served with a giggle.
Signal’s blog post is full of hacking references and sharp jibes at Cellebrite.
The flaws Signal claims to have uncovered in Cellebrite’s controversial technology, if correct, are embarrassing for a company that considers itself smart enough to break into secure messaging systems.
And that comes, of course, just months after Cellebrite claimed to have developed a way to decipher private Signal messages – a claim since debunked.
This cybersecurity revenge research therefore appears to have left Cellebrite with questions to answer.
Cyber security expert Andrew Morris summed up this story best when he tweeted: “This blog post is the nerd equivalent of an absolutely ruthless rap diss track.”
And that rap hacking battle may have already ended with a Micro Signal drop.
The row began in December, when Cellebrite claimed to have cracked Signal’s encryption system, in a blog post, it was later edited to minimize the claim.
Signal responded by calling the claim “quite embarrassing” and criticizing the media coverage – especially that of BBC News.
In his most recent article, Mr. Marlinspike said: “One way of thinking about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they can open any apps they want and take screenshots. screen of everything in it to save it. and come back later, “
“Cellebrite basically automates this process for someone who’s holding your device in their hands.”
In her own statement, Cellebrite said she “understands that research is the cornerstone to ensuring this validation, ensuring that legally obtained digital evidence is used to seek justice.”
“We will continue to integrate these standards into our products, software and the Cellebrite team, in order to provide the most efficient, secure and user-friendly tools to our customers,” he added.