Signal's hack of surveillance software a big concern for courts

A surveillance software used by Australian police to extract messages, photos and other crucial pieces of evidence used in criminal hearings, has come into question after vulnerabilities were discovered that could be exploited to create falsified evidence.

Security concerns about a surveillance software developed by Cellebrite were raised in a blog post last week by Moxie Marlinspike, the founder of the encrypted app Signal. According to Marlinspike, he managed to hack Cellebrite’s Universal Forensic Extraction Device (UFED), a software program used by law enforcement agencies to gather criminally important evidence from devices.

Marlinspike said the Israeli company’s software contains up to 100 vulnerabilities that could allow hackers to change settings and access data. He said the software could be hacked with a virus loaded onto a smartphone that could allow them to change local data, as well as pre-existing data in the software’s database, and essentially “falsify” evidence.

Explaining the extent of the vulnerabilities he found in the UFED software, Marlinspike blogged, “Industry-standard exploit migration defences are missing and many opportunities for exploitation are present,” and he also said, “There are virtually no limits on the code that can be executed.” One particular vulnerability Marlinspike said was of particular concern because it “modifies not only the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices in any arbitrary way.”

Marlinspike’s comments continue what appears to be a tit for tat exchange between Signal and Cellebrite, after Cellebrite revealed last year that it had managed to crack into Signal’s app, not the company’s encryption, but the app loaded on to a smartphone that it owned.

The UFED is Cellebrite’s flagship solution for gathering data for use in criminal and civil investigations. Data obtained by UFED is routinely used as evidence in Australian judicial proceedings. In fact, Australia’s online searchable criminal proceedings database Austlii, shows more than 30 high-profile criminal cases involving the use of Cellebrite’s software, including those relating to serious crimes like murder and drug trafficking.

The Guardian reports that Cellebrite software was also the software used by Australian authorities to investigate Victoria’s hotel quarantine debacle that caused Australia’s second wave of covid-19 infection last year.

While there are currently no reports of criminal cases in Australia from which falsified evidence has been obtained, the revelations bring into question UFED’s reliability as a source of evidence. Already some legal professionals have speculated that the findings could invalidate that evidence.

In a statement to PC World Australia, Dr Jacoba Brasch QC, president of The Law Council of Australia said, “These claims are of concern from a legal perspective because any potential for data to be modified undetected may affect the reliability of the reports created and therefore may result in the evidence contained in those reports being rendered inadmissible. Where that evidence has been incorrectly admitted in court proceedings, that evidence may result in a miscarriage of justice – including a person being incorrectly found guilty of an offence.”

To minimise the possibility that evidence is challenged, and to prevent the miscarriage of justice, Dr Brasch advised investigative agencies to, “ensure that the tools they use to collect electronic evidence are free from vulnerabilities.”

“Any investigative agencies in Australia who have used Cellebrite should get expert advice about the credibility of the criticism and, assuming there is a problem, notify those affected, and then seek to verify the results they have obtained,” she said.

Cellebrite has since released an update to some of its products that may have addressed some of the security concerns raised.