[conspire] Signal's Chef's Kiss to Cellebrite

Deirdre Saoirse Moen deirdre at deirdre.net
Thu Apr 22 08:46:32 PDT 2021


1. First, Signal goes off on Cellebrite, in a *chef's kiss* sort of way:

> By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.

[...]

> For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

[...]

> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

https://signal.org/blog/cellebrite-vulnerabilities/

And a previous piece I'd missed:

> Last week, Cellebrite posted a pretty embarrassing (for them) technical article to their blog documenting the “advanced techniques” they use to parse Signal on an Android device they physically have with the screen unlocked.

> This is a situation where someone is holding an unlocked phone in their hands and could simply open the app to look at the messages in it. Their post was about doing the same thing programmatically (which is equally simple), but they wrote an entire article about the “challenges” they overcame, and concluded that “…it required extensive research on many different fronts to create new capabilities from scratch.”

> This made us scratch our heads. If this required “research,” it doesn’t inspire much awe for their existing capabilities.

> It’s hard to know how a post like that got out the door or why anyone thought revealing such limited abilities was in their interest.

https://signal.org/blog/cellebrite-and-clickbait/

2. John Gruber linked to a fantastic four-part piece from 2009 in the Los Altos Town Crier about the kidnapping of (recently deceased) Adobe co-founder Chuck Greshke.

https://daringfireball.net/linked/2021/04/21/geshke-kidnapping

We'd previously walked through John Warnock's (other Adobe co-founder) fruit orchards in Los Altos on a Common Ground garden tour.

3. And, an old school style web page, with a nod that reminded me of the old zork.net. Consider how cheeky this is for an iOS dev-turned-CEO, previously deeply steeped in froufrou UI:

https://joeblau.com

-- 
  Deirdre Saoirse Moen
  deirdre at deirdre.net



More information about the conspire mailing list