first, let me get something out of the way…
fuck Cellebrite. like really. fuck’em.
This post does not try to protect Cellebrite in any shape or form, instead i would like to talk about moxie and his recent post.
It seems like, moxie spent quite alot of time shaming Cellebrite with their poor written software (well deserved btw). but, so what if they have bad written software? let me explain.
if you ever whiffed around israeli startups and specificly ones who are obsessed with
“geting first to market” you will not be suprised by moxie’s finds. It is almost
a proverb in Israel about how bad some starups try to polish their turd shaped
code into something they can sell off, or profit as long as they can.
If it works, and the company makes money, they will not spend a second on trying to make their code nice or secure. Oh the things i’ve seen and heard …
Given that mentallity, Cellebrite has no reason to make their product secure, esspesially when their attack surface is small with low volume of units in the wild (compare to cellphones) and with contracts their clients have to sign the will make your mom cry. This covers their asses if someone ever tries to do something they don’t like.
yes their product is insecure, yes it might be used against them (really, fuck Cellebrite) but there is a moralistic issue here which i think is overlooked.
Given the access opportunity to Cellebrite products i would expect moxie to do more then try to seed some fear in Cellebrite with some “aesthetic” files that might mess up their unit and the data on it. That doesn’t stop them, it just messes with the clients (fuck them too), they will just write it off as a bug and sent the client a new unit the next day, which doesn’t solve the root issue here.
Cellebrite exploits Android’s and Apple’s ecosystem in some way. I would expect moxie, or one of his many connections in the industry to unncover these expolits, not just for signal but for all users out there. Uncovering and disclosing to the relevent companies, is the moral thing to do. I hope he will in the future. but i’m not holding my breath for it.
For someone who spends alot of time telling you that they are “protecting users” moxie falls short where it actully matters. This is not just about signal users, but all users out there that might come into contact with Cellebrite’s awful devices. Focusing only on signal is an extemely narrow way of looking at things.
so what do you think ? will we see some disclosures from him or his team ?