3

The CEO of Signal has posted the discovery of security vulnerabilities in Cellebrite products. These products are used by police to evade security on seized mobile devices and thereby download the contents for forensic examination. More details here.

What Moxie Marlinespike claims to have discovered is that malicious files on the device being probed by a Cellebrite product can hack the Cellebrite product in turn, altering not just the findings for the device being probed, but also for other devices probed in the past.

(The terms "hack" and "probe" here are used purely to distinguish the direction of the security penetration).

So, what is the legal situation if you have one of these files stored on your device? The file contains malicious software, but it only activates if the device is connected to a Cellebrite product. Assuming you didn't give permission for this, are you guilty of hacking the Cellebrite product?

I'm principally interested in US and UK law, but answers for other countries would be acceptable too.

Paul Johnson
  • 14,252
  • 3
  • 39
  • 63

1 Answers1

3

A fundamental requirement of criminal culpability is intent. Based on the description this whole process is happening after a user has already had their phone seized. If a person was not aware of Signal's hidden files to damage the police's data forensics software, they will not have met the criminal intent requirement, either maliciously or under a criminal negligence theory. None of the prongs of CFAA are strict liability statutes (18 U.S. Code § 1030 "Whoever having knowingly accessed a computer..."), so that would not apply here.

If we imagine a person that is aware of all the information from Signal about their app intentionally abusing Cellebrite's package and with intention to cause damage downloads Signal's malicious files to their phone, I think it's an open question whether or not they would be liable under the CFAA. Specifically, 18 U.S. Code § 1030(a)(5)(A) (emphasis mine)

Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

An argument on this could go both ways. On the one hand, the owner of the phone could be found to not have substantially caused the information to be transmitted to a protected computer, as the police were the integral cause for that in executing their warrant. On the other hand, this sort of file could be considered a digital "booby trap," and booby traps are illegal for essentially this reason, that they have a foreseeable effect of causing harm to people who are lawfully inside a building without the owner's permission. In this case, the owner's trap was sprung by law enforcement but still placed by the owner in order to damage them.

IllusiveBrian
  • 5,165
  • 18
  • 27