‘Cellebrite’ Announced They Can Break ‘Signal’ but Retracted Technical Details

By Bill Toulas / December 22, 2020

The mobile device forensic tools expert, ‘Cellebrite,’ has recently announced it can decrypt Signal messages and attachments. Signal is a privacy-minded instant messaging app featuring end-to-end encryption, keeping the contents of user communications secret to third parties. Thus, it is used by activists, journalists, protesters, and even people who engage in illegal activities. Being free and open-source, it is also very accessible, and so it has grown to become one of the most popular choices in the field.

Cellebrite has recently posted an announcement where they detailed how they cracked the "SqlScipher" used in Signal, how they've managed to grab the decryption key from “Keystore,” and how they’ve found a way to use it for unlocking the app by carefully reviewing dozens of code classes in the code.

After Cellebrite’s engineers found a way to crack messages, they proceeded with attachment files, which was a harder feat because three individual keys are involved here. Again, by looking into the app’s open-source code, they’ve found how the decryption key is generated from the root key, how the data randomization unfolds, and which algorithm is used (HmacSHA256).

Essentially, Cellebrite reverse-engineered Signal’s encryption mechanisms and found a way to generate valid decryption keys, exploiting the project’s open-source nature. What is weird is that Cellebrite chose to describe this process in detail, proving their claims but also enabling Signal’s developers to plug the very holes that are presented in the announcement. Additionally, Cellebrite is giving competing mobile forensic tools pointers on how to break Signal and offer antagonistic solutions in the market.

In any way one chooses to see this, the form of the announcement and the presence of technical details in it was very weird. Cellebrite retracted the original post and replaced it with a heavily edited version where they simply claim that they have found a way to access Signal app data through ‘Cellebrite Physical Analyzer.’ Researcher Bruce Schneier noticed the quick withdrawal, and the original story was archived by the WayBackMachine, so the documents are there for Signal devs to review them.

One thing to clarify is that Cellebrite’s approach works for unlocked devices and data that has been extracted from the Signal folder, so there’s also the prerequisite of physical access. It’s not an interception and decryption of transmissions, doesn’t involve remote access, so Signal remains generally safe to use. If you’re worried about the data stored locally on the device, wipe them frequently, and you should be fine.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: