How the hacking of surveillance tech used by police could undermine Australian criminal cases
Criminal lawyers could soon begin challenging a tool Australian police routinely rely on to extract messages, photos and other information from mobile phones for investigations after the discovery of security flaws that meant data could be falsified.
Last week Moxie Marlinspike, the founder of encrypted
messaging app Signal, published a blog post outlining a series of
vulnerabilities in Israeli company Cellebrite’s surveillance devices.
Marlinspike said the weaknesses make it easy for anyone to
plant code on a phone that would take over Cellebrite’s hardware if it was used
to scan the device. It would be able to surreptitiously affect future
investigations, and rewrite data saved from previous analyses.
He claimed he found 100 vulnerabilities, including one which
could modify “not just the Cellebrite report being created in that scan, but
also all previous and future generated Cellebrite reports from all previously
scanned devices and all future scanned devices.”
The revelations have brought into question whether
Cellebrite data is now a reliable source of information when it is used as
evidence in criminal investigations and convictions.
Cellebrite is widely used by Australian law enforcement. A
search for Cellebrite on Australia’s online repository for court judgments,
Austlii, reveals dozens of rulings where Cellebrite data has been relied upon
by police as part of the investigation, and ultimately forms part of the
prosecution’s case, on cases ranging from assault, murder, drug trafficking and
child sexual abuse.
“Police will typically, where they consider that the phone
might contain relevant information, simply download the entire phone and then
review the material at their leisure,” Andrew Tiedt, criminal lawyer and
director at J Sutton Associates told Guardian Australia. “This does require
that police have physical possession of the phone, and usually also requires
that someone give them the passcode.”
For example, last year, 20-year-old Fredon Botrus was found
guilty of murdering Alfredo Isho in barbershop chair in Boseley Park in western
Sydney in 2019. The prosecution in that case cited messages sent by Botrus over
encrypted messaging app Wickr, which police were able to access using Cellebrite,
showing he had admitted to someone else he had “anked” Isho.
Victoria police also used Cellebrite to obtain former
commissioner Graham Ashton’s text messages from March last year as evidence in
the inquiry into issues with the state’s hotel quarantine system.
Tiedt said while he wasn’t aware of any cases to date in
Australia where the validity of data obtained from Cellebrite was challenged,
the Signal founder’s findings could go as far as making data obtained from
Cellebrite “useless”.
“Signal’s finding may go so far as to make Cellebrite
downloads useless, or at least unreliable,” he said.
“A comparable example might be if it is was suddenly
revealed that the laboratory that did DNA examinations leaves everything
unlocked overnight, and anyone on the street could wander in without being
detected and destroy or damage the samples. One can only imagine the
consequences that might have for criminal prosecutions in New South Wales.
“If Signal’s claims can be proved, this could be devastating
for criminal prosecutions in every jurisdiction that relies on Cellebrite.”
There are already rumblings overseas about challenges to
cases that involve the technology.
A human rights lawyer in Israel has reportedly written to
the country’s attorney general requesting police stop using Cellebrite “until
an investigation into its efficiency and reliability is completed”.
A criminal lawyer in Marylands in the US reportedly told
technology publication Gizmodo he intends to challenge an armed robbery case
which turned on data police gathered from the client’s phone using Cellebrite.
The Law Council of Australia president, Dr Jacoba Brasch QC,
told Guardian Australia law enforcement needed to ensure the tools they use are
free from vulnerabilities to minimise the possibility that evidence is
challenged and to prevent any miscarriage of justice.
“Police also need to be ready to produce appropriately
qualified experts who the prosecution can call to give evidence about these
systems and explain the effect of vulnerabilities on the reliability of the
evidence obtained from tools such as Cellebrite,” Brasch said.
“The Law Council suggests that users should get expert
advice about the credibility of the criticism and, assuming there is a problem,
notify those affected, and then seek to verify the results they have obtained.”
Cellebrite did not respond to a request for comment. The
company said in a statement last week it “is committed to protecting the
integrity of our customers’ data, and we continually audit and update our
software in order to equip our customers with the best digital intelligence
solutions available.”
The company pushed out an update to its software this week
in the wake of the Signal founder’s blog post, reportedly fixing security
vulnerabilities and limiting one of the two ways law enforcement were able to
extract data from iPhones. The announcement accompanying the update stated the
company could not find instances where the vulnerability to modify data had
been used.
Should the use of Cellebrite prove problematic, law
enforcement now have powers under legislation passed in 2018 to request tech
companies to assist in getting access to data on devices. Although the
legislation was passed with the government stressing the powers would be used
in terrorism cases, to date none of the publicly reported instances of the powers
being used have related to terrorism cases.
State police forces Guardian Australia contacted about use
of Cellebrite either said they were unable to discuss methods of investigation,
or did not respond.
Comments
Post a Comment