from Hacker News

Cellebrite claims it can break Signal

by degradas on 12/21/20, 12:23 PM with 6 comments

  • by upofadown on 12/21/20, 2:14 PM

    Cellebrite only claimed they had broken Signal to the extent that if they can break the phone (in particular the OS keystore) they can provide convenient access to the saved Signal data.

    The context here is that Cellebrite provides a magic box that technically naive people can use to crack cellphones. So you hook up the box and you get what you get. Interpreting the data thus revealed is part of the service.

    Interestingly enough, things that use a separate passphrase to protect the saved data are immune to a Cellebrite style attack. Since Signal relies on the security of the underlying device there is still a distinction that can be made here.

    Another point that falls out of this is that Signal is more secure on systems with an unbroken hardware enclave. It is also more secure when you have it delete your old messages.

    >Cellebrite’s details will make it easier for the Signal developers to patch the vulnerability.

    There is no actual Signal vulnerability here so Signal has nothing to patch.

  • by square_usual on 12/21/20, 12:48 PM

    Unless I'm reading this wrong, it seems like they have access to your data if they have access to your device. That doesn't seem like a "breach" to me - if someone has an "end" in the end-to-end encryption scheme, they almost certainly can access the data. (I don't use Signal, so I may be missing something specific here that makes a difference.)

  • by arpa on 12/21/20, 4:36 PM

    If you own the end device, end-to-end encryption is moot. Unless the key is not stored, but who cares about privacy enough to enter a 32-character password to unlock their chat?

  • by waynesonfire on 12/21/20, 6:12 PM

    Hey Cellebrite it's not just drug dealers and criminals that use Signal. Assholes. And you didn't break shit.