Signal’s Cellebrite Hack Is Already Causing Grief For the Law

Signal’s Cellebrite Hack Is Already Causing Grief For the Law (



from the let’s-wait-and-see dept.

An anonymous reader quotes a report from Gizmodo: A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking. Ramon Rozas, who has practiced law for 25 years, told Gizmodo that he was compelled to pursue a new trial after reading a widely shared blog post written by the CEO of the encryption chat app Signal, Moxie Marlinspike. It was just about a week ago that Marlinspike brutally dunked on Cellebrite — writing, in a searing takedown, that the company’s products lacked basic “industry-standard exploit mitigation defenses,” and that security holes in its software could easily be exploited to manipulate data during cell phone extraction.

Given the fact that Cellebrite’s extraction software is used by law enforcement agencies the world over, questions have naturally emerged about the integrity of investigations that used the tech to secure convictions. For Rozas, the concerns center around the fact that “Cellebrite evidence was heavily relied upon” to convict his client, who was charged in relation to an armed robbery. The prosecution’s argument essentially turned on that data, which was extracted from the suspect’s phone using the company’s tools. In a motion recently filed, Rozas argued that because “severe defects” have since been uncovered about the technology, a “new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself.”

“I think it’s going to take a while to figure out what the exact legal ramifications of this are,” says Megan Graham, a Clinical Supervising Attorney at the Samuelson Law, Technology & Public Policy Clinic with Berkeley Law School. “I don’t know how likely it is that cases would be thrown out,” she said, adding that a person who has already been convicted would likely have to “show that someone else identified this vulnerability and exploited it at the time” — not an especially easy task.

“Going forward, I think it’s just hard to tell,” Graham said. “We now know that this vulnerability exists, and it creates concerns about the security of Cellebrite devices and the integrity of evidence.” But there’s a lot that we don’t know, she emphasized. Among Graham’s concerns, she said that “we don’t know if the vulnerability is being exploited,” and that makes it difficult to discern when it could become an issue in past cases. “I think there will be cases where defense attorneys are able to get judges engaged [on this issue]. They will present the security concerns, worries about manipulated evidence, and it might be persuasive. I think there will be a wide array of responses when it comes to how this plays out in cases,” she said.

To iterate is human, to recurse, divine.
— Robert Heller


Read More