You may have seen the interesting tale of Cellebrite’s Signal hack claims that they cracked Signal’s at rest encryption, giving them access to encrypted messages on the app when they are physically on the device. This claim was quickly ridiculed, Cellebrite had to roll back their blog giving away their secrets, and Signal’s creator, Moxie Marlinspike Tweeted “They could have also just opened the app to look at the messages”.
However what this story of Cellebrite’s Signal hack claims does teach us is the tenacity with which hackers of all colours (both ‘good’ and ‘bad’) will pursue the challenge of breaching security defences of, well, everyone.
Cellebrite cracked the uncrackable – or did they?
Signal is universally regarded as the most secure publicly available messenger service. Their proprietary end-to-end encryption system is considered to be impossible to break, keeping all conversations secure. Additional security features include encrypting messages at rest (on your device) so that they can’t be read if the phone is hacked, and disappearing messages. As a result Signal (and other encrypted apps like it) have become popular with people who do not want their messages to be read by others.
Cellebrite’s announcement says that they have found a way to access the decryption key used to decrypt at rest messages on a user’s device. So far so good. However their initial blog set out how they can access this decryption key if they have the device itself unlocked and in their possession. As Moxie says – once you have the device in your hand, you can just open the app and read the messages that way – a whole lot quicker, and easier.
Signal users everywhere breathed sigh of relief at this point. Cellebrite can’t do anything they can do themselves. They still can’t intercept messages in transit, and they can’t access deleted messages.
What does this mean for Signal?
While Signal, the media, and commentators everywhere have quickly and correctly pointed out that this doesn’t change anything for users, this news is a precedent that Signal do not want to continue to experience.
While practically speaking it doesn’t look as though Cellebrite’s Signal hack achieved too much, the question is where will this lead next? Where will it stop – can a hacker who has access to the device remotely access the key and then exploit it? For Signal, these are questions that they should be considering now because hackers now have them in their sights.
Beneath the ridicule, this story does demonstrate that everything is hackable with enough effort – even the most encrypted of apps. In this case, Cellebrite sees this activity as ethical – their motivation is to support their customers, law enforcement agencies around the world, in their efforts to catch criminals who communicate with their networks via an encrypted chat app.
However many hackers have a different motivation entirely – causing disruption, making money, or plain old cyberespionage. If they decide that the benefits they can extract from hacking Signal is worth more than the effort in doing it, they will continue to do so.
Signal will also encounter a very common outcome of any kind of news they have been compromised – that of user confidence. As mentioned above, Signal users include politicians, journalists, business men, and other people for whom it is vitally important that their chats remain secret. Those users will be watching this news with nervousness, even as Signal, the media, and everyone else assures them that their messages are safe.
Cellebrite’s Signal hack claims – what really happened?
On the surface, one company (let’s call them company A) claimed that they had made a major breakthrough in breaking the defences of one of the world’s most secure applications (company B). This claim drew a lot of attention which then seemed to show that in reality, company A had greatly exaggerated their claims, and that company B was in fact as secure as ever. But taking the PR own goal away, the story of Cellebrite’s Signal hack has cybersecurity implications.
Everyone can be hacked to some extent or another, no matter how security conscious they are. The most determined hackers will continue to hack away (pun intended) on every security element, no matter how insignificant, until they reach their goal. For cybersecurity professionals and security conscious organisations, this means they have to be constantly on guard, improving cybersecurity defences, and ensuring that they are on top of their cybersecurity posture.
This lesson is an important one to take into 2021, a year in which cybersecurity professionals expect the security defences of every organisation to continue to be attacked.
Have a merry Christmas, and a safe and healthy new year.