Signal's Revenge

You may have seen a story last December that a software company called Cellebrite claimed it had cracked Signal. Signal, you should already know, is the most secure messaging app you can get. You want Signal on your phone instead of whatever garbage they shipped on there.

Well, Cellebrite was lying. All they could do was copy the encrypted files Signal keeps on the phone. Nothing at all to do with breaking the encryption.

Moxie Marlinspike, the founder of Signal, was not amused. He explained the reality of the situation. All things considered, his response was quite measured.

He was clearly biding his time. (best served cold, amirite?) Yesterday, he published this blog post about a Cellebrite data-stealing kit that mysteriously came into his possession, and how he cracked it.

Read the whole thing here. The TL,DR; is that since Cellebrite indiscriminately sucks all the data off the target phone, it's not at all difficult to craft files that will thoroughly pwn the Windows machine on which Cellebrite is being run.

But my favorite part is at the end, when he mentions:

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

I, for one, will be grinning about this for days.