Hacking firm claims it can decrypt Signal app’s on-device encryption

Technology

A company claims it can decrypt messages sent using the Signal messenger app on Android phones, despite it being considered to be one of the most secure apps around that offers end-to-end encryption.

Cellebrite, an Israel-based but Japanese-owned security company, has previously been reported to have helped the FBI access the iPhone of one of the San Bernadino shooters.

In a new blog post, the company claims it is able to decrypt Signal messages as they are stored on Android devices by retrieving the key used to encrypt them while they’re at rest, although it is importantly not claiming to be able to decrypt intercepted messages between two Signal users.

The impact of Cellebrite’s ability to decrypt messages at rest is unclear at the moment. The company acknowledges that it sells its devices to both law enforcement and private sector organisations.

“At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives,” the company stated.

As an app, Signal is used by people who want to ensure their communications are secure, a set which includes journalists and politicians, as well as criminals and others it would be legitimate for police to target.

While it is not considered possible to intercept messages sent between Signal users, there is a separate risk that the messages could be seen if one of the users’ phones was taken by a third party.

More from Science & Tech

To secure these messages at rest, Signal encrypts them – and it is this encryption which Cellebrite is claiming to have found a way to decrypt.

Signal does offer its users additional protection when it comes to potential snoopers who have gained access to their phone by allowing messages in a conversation to automatically delete after a given amount of time has passed since they were read.

Exchanging messages with Sky News on Twitter, Professor Alan Woodward at Surrey University said: “Once someone can open your phone, or you open your phone, then [that is] game over for [end-to-end] encrypted messages anyway.

“But this is Cellebrite who build kit to analyse phones seized by law enforcement,” Professor Woodward added, suggesting that the at-rest decryption feature could be one that some of Signal’s users also place value in.

Neither Signal nor Cellebrite responded to Sky News’ requests for comment.

Products You May Like