A Maryland defense attorney decided to challenge the conviction of one of his clients after recently discovering that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, had serious flaws cybersecurity that could make it vulnerable to hacking.
Ramon Rozas, who has practiced law for 25 years, told Gizmodo he was forced to pursue a new trial after reading a widely shared Blog post written by CEO of Signal Encryption Chat App, Moxie Marlinspike. Just a week ago, Marlinspike took a brutal dive on Cellebrite – writing, in a burning dismantling, that the company’s products lacked “industry-standard exploit mitigation defenses” and that the security flaws in its software could easily be exploited to manipulate data while mining phones portable.
Since Cellebrite’s mining software is used by law enforcement agencies around the world, questions naturally arose about the integrity of the investigations that used the technology to secure convictions.
For Rozas, concerns are that “Cellebrite’s evidence has been widely relied upon” to convict his client, who has been charged with armed robbery. The prosecution’s argument was based primarily on this data, which had been extracted from the suspect’s phone using company tools. In a recently filed motion, Rozas argued that, given that “serious flaws” have since been discovered about the technology, a “new trial should be ordered so that the defense can consider the report produced by the Cellebrite device. in light of this new evidence, and examine the Cellebrite ring road itself. “
“Cellebrite has been around for a while, but I feel like prosecutors and police have become a lot more comfortable with it,” Rozas told Gizmodo over the phone. Previously, data mining was mainly used only in certain types of cases – usually child pornography or, sometimes, drug offenses. Now, however, the cops’ first move is usually to find some sort of incriminating evidence on a suspect’s cell phone, he said, regardless of the type of case.
The widespread use of these tools is potentially concerning, given one of Marlinspike’s blog’s wackiest claims: that corrupted apps on a targeted phone could fundamentally overwrite any data extracted by Cellebrite’s tools – essentially allowing an outdoor party to manipulate data on confiscated devices.
Despite the magnitude of these security concerns, lawyers are not necessarily convinced that they will change anything. Megan Graham, who is a clinical supervising lawyer at the Samuelson Law, Technology & Public Policy Clinic at Berkeley Law School, said it was not entirely clear how the disclosures about Cellebrite’s technology could affect the court cases . In all likelihood, they probably won’t do much for older cases, although there may be discussions in the future on how best to address potential problems with police technology, he said. she declared.
“I think it will take some time to understand what the exact legal ramifications are of this situation,” Graham said on a phone call. “I don’t know how likely it is that cases will be dismissed,” she said, adding that someone who has already been convicted should probably “show that someone else has identified this vulnerability. and exploited it at that time ”- not a particularly easy task.
“Going forward, I think it’s just hard to say,” Graham said. “We now know that this vulnerability exists and it creates concerns about the security of Cellebrite devices and the integrity of evidence.” But there’s a lot we don’t know, she stressed. Among Graham’s concerns, she said that “we don’t know if the vulnerability is being exploited”, and thats it is difficult to discern when this might become a problem in previous cases.
Ultimately, Graham said she hoped that in the future courts might try to be more thoughtful and nuanced about how they approach digital evidence – which this whole incident could help catalyze: “I think there will be cases where defense lawyers can find judges. engaged [on this issue]. They’ll present the security concerns, the concerns about the evidence being manipulated, and that could be convincing. I think there will be a wide range of responses as to how it plays out in cases, ”she said.
Cellebrite reportedly released new product updates on Monday, Vice News Reports. The company said the patches were “released to address a recently identified security vulnerability. The security patch strengthens the protections of the solutions. However, Vice also reports that the company did not “specifically state whether the vulnerability addressed was the same as that disclosed by Marlinspike.”