Tech

Signal founder laughs off 'amateur hour' claim that the app was cracked

Cellebrite, an Israel-based security firm, published a blog post stating it had cracked Signal's database codes. The details are a bit... sketchy.

Street thief stealing mobile phone from back pocket of jeans woman., Robber, Thief concept
Shutterstock

An Israeli security firm claims its researchers have successfully decrypted Signal’s infamous end-to-end encryption — though the validity of that statement is anyone’s guess. Signal is openly disputing the claim.

Cellebrite, a digital intelligence company founded in 1999, published a blog post this month stating it had cracked the Signal code. As TechCrunch points out, though, the blog has since been tweaked significantly. Those edits completely removed mention of the firm’s methodologies.

The original post, archived here by The Web Archive, describes a convoluted decryption method that relies on “reading a value from the shared preferences file” in the Android version of the app. The new version of the post — which, for some reason, has been backdated by more than a week — is much shorter and contains no mention of how, exactly, Cellebrite broke Signal’s encryption.

Is this…possible? — Signal’s founder, Moxie Marlinspike, wasted no time in pointing out the holes in Cellebrite’s claims. “This was an article about ‘advanced techniques’ Cellebrite uses to decode a Signal message database… on an unlocked Android device!” Marlinspike said. “They could have also just opened the app to look at the messages.”

Marlinspike also said the article read “like amateur hour.” He assumes this is why the post has since been edited.

There is a chance, of course, that Cellebrite actually has decrypted Signal’s database files. The editing of the post could be just the opposite of Marlinspike’s assumptions: maybe Cellebrite realized others might steal its methods and it therefore erased them from public view. (Of course, deleting information that’s already been posted to the internet isn’t quite so effortless.)

And for what? — Cellebrite and similar companies have a seemingly altruistic goal. As the company writes in its original blog post: “Gang members, drug dealers, and even protestors have been quick to adopt ways to screen their communications. This is why law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities like image blurring to stop police from reviewing data.”

It’s an argument that’s been around as long as smartphones have: if these devices are being used in seemingly secretive ways, those in power — law enforcement, in particular — should be given special, overarching access to that private information.

For the most part, Big Tech does not agree with this sentiment. Earlier this year, law enforcement attempted to strong-arm Apple into providing backdoor access to the Pensacola shooter’s iPhone, a request that Apple repeatedly refused. Other major players like Microsoft agreed that special access for law enforcement is “unthinkable.”

That shared stance hasn’t stopped companies like Cellebrite from expending resources on trying to crack even the most loyal of encryption methods. And they’ll keep trying as long as there’s money in it.