To get this weekly dose of Reality delivered by email, sign up on our Substack page.
A Quick Plug
Episode 68: Signal Snoops On Cellebrite as They Snoop On Us
Katherine Druckman and Doc Searls chat with Kyle Rankin and Shawn Powers about Signal’s exposure of vulnerabilities in Cellebrite’s mobile device hacking software..
Please remember to subscribe via the podcast player of your choice.
Signal’s founder, known as Moxie Marlinspike, recently posted a quite thorough outline of significant vulnerabilities in the Cellebrite phone analysis software used by law enforcement and governments around the world to extract data from mobile devices. As this software has reputedly been used in ethically questionable ways, it makes perfect sense that a hacker/privacy activist would target Cellebrite, and especially after word got out (erroneously) that Signal’s app was vulnerable to Cellebrite software.
The blog post went as far as to suggest that an app could effectively booby trap itself to completely undermine the Cellebrite system.
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Also interesting are the potential legal consequences of these vulnerabilities. A Maryland lawyer is currently challenging a conviction that was largely based on evidence gathered using Cellebrite’s analysis on the basis that its integrity is now highly questionable.
Kyle Rankin and Shawn Powers joined us in last week’s episode to talk through this news, and other issues. And interestingly, we previously discussed the new trend of schools using Cellebrite tools to violate student privacy in Episode 52: Fragmentation and Outrage of the Week, which is frankly just as outrageous today as then. Is this latest hack perhaps a little karmic justice?
Please feel free to reach out here in a comment, or on any of our social outlets, or via our contact form.
Site/Blog/Newsletter | Facebook | Twitter | YouTube | Mastodon
That Awesome Video
This is a must-watch video, originally posted in the Signal blog post. We promise it will speak to your hacker soul.
This Week’s Reading List
Australia’s vague anti-encryption law sets a dangerous new precedent - ProtonMail Blog — the Australian government and its Labor partners rammed a shockingly invasive anti-encryption law through Parliament, over the objections of experts, businesses, and civil rights groups.
Australia's Encryption-Busting Law Could Impact Global Privacy | WIRED — Australia has passed a law that would require companies to weaken their encryption, a move that could reverberate globally.
P versus NP problem - Wikipedia — The P versus NP problem is a major unsolved problem in computer science. It asks whether every problem whose solution can be quickly verified can also be solved quickly.
Data Double Dipping: When Companies Mine Paying Customers – Purism — There’s an old snarky saying among privacy advocates: “If you aren’t paying for something, you are the product!” This updated version of “There’s no such thing as a free lunch” arose in the Internet age among the ever-growing list of free services and apps on the Internet funded by collecting and selling your data to advertisers. If large companies like Google and Facebook are any indication, a lot of money can be made with user data and the more data you collect, the more money you can make.
Eva Galperin: What you need to know about stalkerware | TED Talk — "Full access to a person's phone is the next best thing to full access to a person's mind," says cybersecurity expert Eva Galperin. In an urgent talk, she describes the emerging danger of stalkerware -- software designed to spy on someone by gaining access to their devices without their knowledge -- and calls on antivirus companies to recognize these programs as malicious in order to discourage abusers and protect victims.
Reality 2.0 Episode 52: Fragmentation and Outrage of the Week — Doc Searls and Katherine Druckman talk to Kyle Rankin about fragmentation and software development, the Amazon Halo, and surveilling school children.
This Is How They Tell Me the World Ends — From New York Times cybersecurity reporter Nicole Perlroth, THIS IS HOW THEY TELL ME THE WORLD ENDS is the untold story of the cyber arms trade-the most secretive, invisible, government-backed market on earth-and a terrifying first look at a new kind of global warfare.
The Reality 2.0 Podcast explores how tech, privacy, and security impact reality in a post-COVID world. Subscribe now and don't miss a thing! We welcome your feedback at our contact page.