Yesterday, the BBC ran a story with the factually untrue headline, “Cellebrite claimed to have cracked chat app’s encryption.” This is false. Not only can Cellebrite not break Signal encryption, but Cellebrite never even claimed to be able to.
Since we weren’t actually given the opportunity to comment in that story, we’re posting this to help to clarify things for anyone who may have seen the headline.
This world of ours
Last week, Cellebrite posted a pretty embarrassing (for them) technical article to their blog documenting the “advanced techniques” they use to parse Signal on an Android device they physically have with the screen unlocked.
This is a situation where someone is holding an unlocked phone in their hands and could simply open the app to look at the messages in it. Their post was about doing the same thing programmatically (which is equally simple), but they wrote an entire article about the “challenges” they overcame, and concluded that “…it required extensive research on many different fronts to create new capabilities from scratch.”
It’s also hard to know how such an embarrassing turn of events became anything other than a disaster for Cellebrite, but several news outlets, including the BBC, published articles about Cellebrite’s “success,” despite the existence of clarifying information already available online.
What really happened
- If you have your device, Cellebrite is not your concern. It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less “break the encryption” of that communication. They don’t do live surveillance of any kind.
- Cellebrite is not magic. Imagine that someone is physically holding your device, with the screen unlocked, in their hands. If they wanted to create a record of what’s on your device right then, they could simply open each app on your device and take screenshots of what’s there. This is what Cellebrite Physical Analyser does. It automates the process of creating that record. However, because it’s automated, it has to know how each app is structured, so it’s actually less reliable than if someone were to simply open the apps and manually take the screenshots. It is not magic, it is mediocre enterprise software.
- Cellebrite did not “accidentally reveal” their secrets. This article, and others, were written based on a poor interpretation of a Cellebrite blog post about adding Signal support to Cellebrite Physical Analyzer. Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail. This is not because they “revealed” anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad. Articles about this post would have been more appropriately titled “Cellebrite accidentally reveals that their technical abilities are as bankrupt as their function in the world.”