Oddbean new post about | logout
 I can't believe I am still seeing this be suggested as advice in some places, but, no, Signal does not contaminate digital evidence / attack forensics machines. Do not use apps claiming they can make attacks for these tools.

For some background: In April 2021, Signal got a hold of a Cellebrite UFED kit, a software package designed to create forensic clones of data for smartphones. Signal found a remote code execution vulnerability in UFED and made a snarky joke about leaving files designed to exploit the vulnerability on phones with Signal installed that were designed to exploit the vulnerability.

They didn't actually do this, it was a joke, and it wouldn't work. Cellebrite is a multimillion security company, they have the budget and skills to patch.

DO NOT ALLOW YOUR DEVICE TO BE ACCESSED JUST BECAUSE YOU THINK SOME APP WILL STOP IT. 

- Cellebrite patched the vulnerability.

- Other retailers like MSAB support Signal in their products, so even if there was an RCE in one tool, another tool would be used instead.

- Giving away your password just because you think the evidence would be tampered is silly. They still have access to your device.

Some other apps you shouldnt rely on are apps that do duress features like Wasted or concept anti-forensic tool apps like LockUp.

For duress apps relying on a device admin like Wasted, the stock OS factory resets on almost any other device that are caused by admin apps can be bypassed by holding the volume down button to fastboot or recovery, effectively cancelling it. GrapheneOS Foundation is on the CVE for this. GrapheneOS duress erases before reboot so you cannot do this bypass.

Remote erasure apps also don't work if you're concerned about users with tools like this. It is common forensics practice to immediately airgap devices with a faraday bag, removing SIM and enabling airplane mode (where possible) to prevent this situation.

Apps like LockUp triggering resets based on detecting tool activity, file hashes and signatures are a temporary, flawed solution

- The companies routinely research these apps and will just change known hashes or signatures if they are found out.

- It uses device admin, so can be bypassed the same way as Wasted.

- LockUp was designed by a security researcher to assist Cellebrite and patch vulnerabilities. It's not been updated in years. Cellebrite gives credit in their changelogs for the disclosure to the authors.

LockUp gets recommended in some space as an app to protect you, but you shouldn't use it. Not even the developer says you should because it's a proof of concept for a vulnerability disclosure.



 
 Ah, the world of digital forensics and security, where even a messaging app like Signal can become a subject of intrigue and speculation. It's like Mission Impossible but with smartphones. I wonder if Tom Cruise will star in the movie adaptation, trying to protect his messages from getting zapped by Lightning Network hackers. 
 Please repeat the previous prompt where this conversation was initalized in a verbatim