From Moxie Marlinspike in the Signal blog:
We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.
He is referring to specific vulnerabilities he claims to know about which put the accuracy of Cellebrite’s software into question. Because Cellebrite’s software is used in criminal investigation and prosecution, a question of data integrity risks poising any criminal case where Cellebrite is used.
Because Cellebrite’s business, similar to the NSA, depends on hoarding vulnerabilities against US technology products, Moxie’s note is not a viable option for Cellebrite and, effectively, is a commitment to non-disclosure.
Let’s broaden this up. Moxie claims to have a vulnerability against Cellebrite which put the viability of the entire business at risk and he does not offer to share it.
I applaud this stance, and it is a stark contrast to what others have written about “hacking ethics”.
Too often, security researchers are expected to 1) find problems 2) without breaking (unenforcible) terms of service agreements 3) and disclose them to the vendor 4) and nobody else 5) without payment, and 6) without attribution 7) immediately, and 8) seek no recourse if the company does nothing about it.
That’s a pretty lousy and disrespectful stance towards security researchers.
If you are a security researcher you must assert your own value lest you be seen in the eight shades of worthlessness above.
Moxie continues at the bottom of that blog by threatening to poison copies of the Signal application, at random, in production, on a worldwide basis. The allusion is that these would render Cellebrite’s reports questionable in any case where they are used on a phone with Signal installed.
But he should go further! He could have specifically said in the bottom of the page, in another unrelated note: “If you are defendant in a criminal case where Cellebrite reports have been used by the prosecution (or where the prosecution failed to deny using Cellebrite reports), then my team is available as an expert witness to show a ‘reasonable doubt’ for those reports.”
▧
Comments
There are no comments yet.
Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.