No, an Israeli company can't hack into Signal on your phone
Journalists and human rights activists are not at risk of their phones being hacked while using Signal, despite Israeli intelligence company Cellebrite claiming it can crack the app, Middle East Eye has learned.
Signal is an encrypted end-to-end messaging app released in 2010 by Moxie Marlinspike, an American entrepreneur and cryptographer who worked for Google, Facebook and WhatsApp between 2012 and 2016, and implemented the Signal code into their services.
The app has risen to be a pivotal tool for journalists and human rights activists, who commonly use it to contact sources believing the messaging service is secure. Across the Middle East and elsewhere, governments have used technology - often developed in Israel - to hack phones through messaging apps.
'Signal guarantees security during the communication through end-to-end encryption, but the security of the data on the phone relies on the security of the system itself'
- Etienne Maynier, Amnesty International
While Facebook, WhatsApp and Skype use the Signal code to encrypt their users' messages, Signal's app is known for its strong encryption, which adds an extra layer to its end-to-end messaging, encrypting the files and attachments sent by users, making it safe from third party software.
Last week, however, Cellebrite, an Israeli company owned by Sun Cooperation and trading on Japan’s securities exchange market, wrote in a blog post that its product Universal Forensic Extraction Device (UFED) can access, lift and analyse data of mobile phones using the app.
Stay informed with MEE's newsletters
Sign up to get the latest alerts, insights and analysis, starting with Turkey Unpacked
Cellbrite said that it had developed the Physical Analyzer to access data on Signal, which it said would help its users "uncover digital evidence and create court-ready exhibits".
The post was subsequently deleted, and techonology experts have been quick to dismiss the company's claims.
Etienne Maynier, a security researcher at Amnesty International, told MEE that Cellebrite's technology is not "groundbreaking".
In order for Cellebrite to access data and run a forensic analysis, it needs full access to the phone, whether through a passcode, touch ID or facial recognition.
This could be obtained by two methods: legally, by law enforcement asking the user to supply the passcode, or by a technical approach, which exploits vulnerable security issues in the device's system.
“Once the tool [of Cellebrite's UFED] has full access to the phone data, there is nothing technically preventing it to access Signal data… Cellebrite does not contain anything groundbreaking beside explaining technically how to read this data with full access to the phone,” Maynier said.
Maynier added that whoever has access to the "unlocked" phone device will subsequently have access to the Signal data, and possibly to other applications on the phone.
“Signal guarantees security during the communication through end-to-end encryption, but the security of the data on the phone relies on the security of the system itself,” Etienne said.
After reports circulated that Cellebrite's "advanced technologies" could break Signal code on unlocked phone devices, Marlinspike, Signal's creator, tweeted on Friday: "They could have also just opened the app to look at the messages."
Human rights due diligence
Founded in 1999, Cellebrite's technology is used in 154 countires, and the company says it "has made convictions possible in more than five million cases of serious crime, such as murder, rape, human trafficking and paedophilia."
Cellebrite’s UFED is a device, close in shape to a tablet, which is connected to a phone to access data. It is already being used by American police forces and the FBI.
Last week, eight American public schools purchased “mobile device forensic tools” from Cellebrite to access data on their students' phones, according to Apple Insider.
Its UEFD flagship product can pull SMS messages, call logs, internet browsing histories and deleted data from phones.
In January 2017, data stolen from Cellebrite was sold to Turkey, Saudi Arabia and United Arab Emirates, countries known for their jailing of journalists and activists.
It also sold its wares to repressive countries such as Venezuela, Belarus and Indonesia. In October it ceased selling intelligence technologies to China and the Hong Kong administration following international criticism.
"Cellebrite as a company has to take adequate human rights due diligence to make sure that their products are not used to violate human rights," Amnesty's Maynier said.
Middle East Eye asked Cellebrite for comment, and why it deleted its post boasting its techonology could hack Signal.
Several Israeli companies, whose founders and employees hail from the intelligence and defence industries, have developed technologies to hack and spy on mobile phones.
Most famously, Israel’s largest surveillance company NSO Group sold its Pegasus spyware to several repressive Arab governments, including Saudi Arabia, the UAE and Morocco, who have used it to spy on journalists and activists.
On Tuesday, Signal launched encrypted video group meeting calls, hoping to replace Zoom, which has been used widely for remote working and had several security pitfalls during the pandemic.
Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.
