3

The CEO of Signal has posted the discovery of security vulnerabilities in Cellebrite products. These products are used by police to evade security on seized mobile devices and thereby download the contents for forensic examination. More details here.

What Moxie Marlinespike claims to have discovered is that malicious files on the device being probed by a Cellebrite product can hack the Cellebrite product in turn, altering not just the findings for the device being probed, but also for other devices probed in the past.

(The terms "hack" and "probe" here are used purely to distinguish the direction of the security penetration).

So, what is the legal situation if you have one of these files stored on your device? The file contains malicious software, but it only activates if the device is connected to a Cellebrite product. Assuming you didn't give permission for this, are you guilty of hacking the Cellebrite product?

I'm principally interested in US and UK law, but answers for other countries would be acceptable too.

Improve this question
0

1 Answer 1

Reset to default
3

A fundamental requirement of criminal culpability is intent. Based on the description this whole process is happening after a user has already had their phone seized. If a person was not aware of Signal's hidden files to damage the police's data forensics software, they will not have met the criminal intent requirement, either maliciously or under a criminal negligence theory. None of the prongs of CFAA are strict liability statutes (18 U.S. Code § 1030 "Whoever having knowingly accessed a computer..."), so that would not apply here.

If we imagine a person that is aware of all the information from Signal about their app intentionally abusing Cellebrite's package and with intention to cause damage downloads Signal's malicious files to their phone, I think it's an open question whether or not they would be liable under the CFAA. Specifically, 18 U.S. Code § 1030(a)(5)(A) (emphasis mine)

Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

An argument on this could go both ways. On the one hand, the owner of the phone could be found to not have substantially caused the information to be transmitted to a protected computer, as the police were the integral cause for that in executing their warrant. On the other hand, this sort of file could be considered a digital "booby trap," and booby traps are illegal for essentially this reason, that they have a foreseeable effect of causing harm to people who are lawfully inside a building without the owner's permission. In this case, the owner's trap was sprung by law enforcement but still placed by the owner in order to damage them.

Improve this answer
3
  • I'm skeptical that booby trap laws would apply in the digital realm, since there's no equivalent of the fireman's rule (there is no expectation that your cell phone may need to be broken into to protect your life, as there is with your home).
    – forest
    Commented Apr 28, 2021 at 1:17
  • @forest I think the fundamental logic could conceivably hold though, if a person intentionally puts the file on their phone which then causes some damage to the police when the police try to read it that could be enough to satisfy the "knowingly causes" requirement. I didn't go into it in the answer, but this could also be a form of evidence tampering or destruction.
    – IllusiveBrian
    Commented Apr 28, 2021 at 1:50
  • I think it would very likely count as evidence tampering, at the very least.
    – forest
    Commented Apr 29, 2021 at 0:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .