Signal's hack of surveillance software a big concern for courts
A surveillance software used by Australian police to extract messages, photos and other crucial pieces of evidence used in criminal hearings, has come into question after vulnerabilities were discovered that could be exploited to create falsified evidence.
Security concerns about a surveillance software developed by
Cellebrite were raised in a blog post last week by Moxie Marlinspike, the
founder of the encrypted app Signal. According to Marlinspike, he managed to
hack Cellebrite’s Universal Forensic Extraction Device (UFED), a software
program used by law enforcement agencies to gather criminally important
evidence from devices.
Marlinspike said the Israeli company’s software contains up
to 100 vulnerabilities that could allow hackers to change settings and access
data. He said the software could be hacked with a virus loaded onto a
smartphone that could allow them to change local data, as well as pre-existing
data in the software’s database, and essentially “falsify” evidence.
Explaining the extent of the vulnerabilities he found in the
UFED software, Marlinspike blogged, “Industry-standard exploit migration
defences are missing and many opportunities for exploitation are present,” and
he also said, “There are virtually no limits on the code that can be executed.”
One particular vulnerability Marlinspike said was of particular concern because
it “modifies not only the Cellebrite report being created in that scan, but
also all previous and future generated Cellebrite reports from all previously
scanned devices in any arbitrary way.”
Marlinspike’s comments continue what appears to be a tit for
tat exchange between Signal and Cellebrite, after Cellebrite revealed last year
that it had managed to crack into Signal’s app, not the company’s encryption,
but the app loaded on to a smartphone that it owned.
The UFED is Cellebrite’s flagship solution for gathering
data for use in criminal and civil investigations. Data obtained by UFED is
routinely used as evidence in Australian judicial proceedings. In fact,
Australia’s online searchable criminal proceedings database Austlii, shows more
than 30 high-profile criminal cases involving the use of Cellebrite’s software,
including those relating to serious crimes like murder and drug trafficking.
The Guardian reports that Cellebrite software was also the
software used by Australian authorities to investigate Victoria’s hotel
quarantine debacle that caused Australia’s second wave of covid-19 infection
last year.
While there are currently no reports of criminal cases in
Australia from which falsified evidence has been obtained, the revelations
bring into question UFED’s reliability as a source of evidence. Already some
legal professionals have speculated that the findings could invalidate that
evidence.
In a statement to PC World Australia, Dr Jacoba Brasch QC,
president of The Law Council of Australia said, “These claims are of concern
from a legal perspective because any potential for data to be modified
undetected may affect the reliability of the reports created and therefore may
result in the evidence contained in those reports being rendered inadmissible.
Where that evidence has been incorrectly admitted in court proceedings, that
evidence may result in a miscarriage of justice – including a person being
incorrectly found guilty of an offence.”
To minimise the possibility that evidence is challenged, and
to prevent the miscarriage of justice, Dr Brasch advised investigative agencies
to, “ensure that the tools they use to collect electronic evidence are free
from vulnerabilities.”
“Any investigative agencies in Australia who have used
Cellebrite should get expert advice about the credibility of the criticism and,
assuming there is a problem, notify those affected, and then seek to verify the
results they have obtained,” she said.
Cellebrite has since released an update to some of its
products that may have addressed some of the security concerns raised.
Comments
Post a Comment