Cellebrite vs. Signal
After Cellebrite added Signal parsing to its forensic device, Moxie Marlinspike said he 'fell off a truck' and found one. Then he reverse-engineered it on stage.
Cellebrite, an Israeli forensic tools vendor, sold devices that, once connected to an unlocked phone, would extract its data in a format prosecutors could use in court. In December 2020, Cellebrite announced support for parsing Signal messages. The implication, leveraged in marketing materials, was that secure messaging was no longer secure.
A truck and a parking lot
In April 2021, Moxie Marlinspike — the founder of Signal — published a blog post claiming that "by a truly unbelievable coincidence" a sealed Cellebrite device had fallen off the back of a truck in front of him on a walk. The bit was clearly facetious. Less facetious was the technical write-up that followed.
Marlinspike documented multiple memory-corruption bugs in the parsers Cellebrite used to ingest files from a connected phone. A specially crafted file on a phone, when processed by the Cellebrite device, could execute arbitrary code on that device — and modify any report it had ever generated or would ever generate. The implication was severe. Every Cellebrite-derived forensic report in active court cases potentially had to be re-examined for integrity.
The post ended with the suggestion that future versions of Signal might include such files as inert artifacts, "purely for aesthetic reasons", on a small subset of devices.
What the chronicle remembers
Cellebrite vs. Signal is the rare case of a defender publicly humiliating a commercial forensic vendor on the latter's own home turf. It also demonstrated, more substantively, that forensic-tool integrity is itself a security property — and that integrity, when broken, can ripple back into the chain-of-custody assumptions of an entire legal system.