No, Cellebrite cannot 'break Signal encryption.'

moxie0 on 23 Dec 2020

Yesterday, the BBC ran a story with the factually untrue headline, “Cellebrite claimed to have cracked chat app’s encryption.” This is false. Not only can Cellebrite not break Signal encryption, but Cellebrite never even claimed to be able to.

Since we weren’t actually given the opportunity to comment in that story, we’re posting this to help to clarify things for anyone who may have seen the headline.

This world of ours

Last week, Cellebrite posted a pretty embarrassing (for them) technical article to their blog documenting the “advanced techniques” they use to parse Signal on an Android device they physically have with the screen unlocked.

This is a situation where someone is holding an unlocked phone in their hands and could simply open the app to look at the messages in it. Their post was about doing the same thing programmatically (which is equally simple), but they wrote an entire article about the “challenges” they overcame, and concluded that “…it required extensive research on many different fronts to create new capabilities from scratch.”

This made us scratch our heads. If this required “research,” it doesn’t inspire much awe for their existing capabilities.

It’s hard to know how a post like that got out the door or why anyone thought revealing such limited abilities was in their interest. Based on the initial reception, Cellebrite must have realized that amateur hour was not a good look, and the post was quickly taken down. They then must have realized that a 404 error isn’t any better, and replaced that again with a vague summary.

It’s also hard to know how such an embarrassing turn of events became anything other than a disaster for Cellebrite, but several news outlets, including the BBC, published articles about Cellebrite’s “success,” despite the existence of clarifying information already available online.

What really happened

  1. If you have your device, Cellebrite is not your concern. It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less “break the encryption” of that communication. They don’t do live surveillance of any kind.
  2. Cellebrite is not magic. Imagine that someone is physically holding your device, with the screen unlocked, in their hands. If they wanted to create a record of what’s on your device right then, they could simply open each app on your device and take screenshots of what’s there. This is what Cellebrite Physical Analyser does. It automates the process of creating that record. However, because it’s automated, it has to know how each app is structured, so it’s actually less reliable than if someone were to simply open the apps and manually take the screenshots. It is not magic, it is mediocre enterprise software.
  3. Cellebrite did not “accidentally reveal” their secrets. This article, and others, were written based on a poor interpretation of a Cellebrite blog post about adding Signal support to Cellebrite Physical Analyzer. Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail. This is not because they “revealed” anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad. Articles about this post would have been more appropriately titled “Cellebrite accidentally reveals that their technical abilities are as bankrupt as their function in the world.”

If you are concerned about a situation where someone else might end up physically holding your device with the screen unlocked in their hands, Signal can still help. Features like disappearing messages and view-once media messages allow you to communicate more ephemerally and keep your conversations tidy.

It is unfortunate such misleading and inaccurate stories like these spread so quickly, particularly because so many people will see that headline and so few will see the correction. If you see people confused by this kind of irresponsible reporting, please help by sharing this with them.