I Have a Lot to Say About Signal’s Cellebrite Hack

Riana Pfefferkorn

You may have seen a story in the news recently about vulnerabilities discovered in the digital forensics tool made by Israeli firm Cellebrite. Cellebrite’s software extracts data from mobile devices and generates a report about the extraction. It’s popular with law enforcement agencies as a tool for gathering digital evidence from smartphones in their custody. 

In April, the team behind the popular end-to-end encrypted (E2EE) chat app Signal published a blog post detailing how they had obtained a Cellebrite device, analyzed the software, and found vulnerabilities that would allow for arbitrary code execution by a device that’s being scanned with a Cellebrite tool. 

As coverage of the blog post pointed out, the vulnerability draws into question whether Cellebrite’s tools are reliable in criminal prosecutions after all. While Cellebrite has since taken steps to mitigate the vulnerability, there’s already been a motion for a new trial filed in at least one criminal case on the basis of Signal’s blog post. 

Is that motion likely to succeed? What will be the likely ramifications of Signal’s discovery in court cases? I think the impact on existing cases will be negligible, but that Signal has made an important point that may help push the mobile device forensics industry towards greater accountability for their often sloppy product security. Nevertheless, I have a raised eyebrow for Signal here too.