techno.rentetan.com – A Maryland defense attorney decided to challenge one of his clients’ convictions following his recent discovery of serious cyber security defects in the telephony cracking product in the case, produced by the digital forensics company Cellebrite.
After a large blog post, written by the chairman of the encryption chat application Signal, Moxie marlinspike, Ramon Rozas, has been practicing law for 25 years, told Gizmodos that he was required to conduct a new trial. Only about a week ago Marlinspike dunkled brutally at Cellebrite—writing that the companies’ products lack basic “industry-standard mitigation defenses” and that their software’s safety holes could easily be used to handle data when extracting cell phones.
Given that the extraction software of Cellebrite is used by law enforcement agencies around the world, the integrity of the investigations that use tech to secure convictions has naturally emerged.
For Rozas, the main concern is “the heavy reliance on Cellebrite evidence” to convict his client who has been charged for armed robbery. In essence, the prosecution argued that the data was extracted using the company devices from the phone of the suspect. Roca Rozas argued in a recent motion that, since the “severe defects” in the field of technology have since been uncovered, a “new trial should be ordered so that the defense could examine the Cellebrite-produced report and the device itself,” according to this new evidence.
“Cellebrite’s been around for some time but I feel like it’s got a lot more comfortable for prosecutors and police officers,” Rozas told Gizmodo on the phone. In earlier years, only certain kinds of cases, typically child pornography or drug offences, used data extraction primarily. But now the first movement of cops typically involves finding some form of incriminating evidence on a suspect’s mobile phone.
In the light of one of the outsiders in the blog of Marlinspike, the widespread use of such tools could concern that corruption of apps on a targeted telephone could basically override any data extracted by the tools from Cellebrite, essentially making data manipulation on confiscated devices possible for an outside party.
Despite the size of these security issues, the idea that they will change anything is not necessarily sold to lawyers. Megan Graham, who is a Samuelson Law, Technology & Public Policy Clinic clinical supervisor to the Berkeley Law School, said it was not fully clear how disclosures regarding technology in Cellebrite could influence court cases. They probably won’t do much for older cases, but some discussion on how better to tackle potential issues with police technology can move forward, she said.
“The exact legal consequences of that will take a little while, I think,” Graham said in a telephone call. “I do not know how likely cases are to be expelled,” she said, adding that someone who is already convicted would probably “show that someone else identified and exploited this vulnerability at the time,” not an extremely simple task.
“I think it is difficult to tell, going forward,” said Graham. “We now know that this vulnerability exists, and that it raises concerns about the safety and integrity of Cellebrite devices.” She emphasized, however, that there is a lot we do not know. She said among the concerns of Graham: “We know not if the vulnerability is being exploited,” which makes it hard to discern when in past cases it could become a problem.
Graham ultimately said she had the hope that future courts could try to reflect more and be more nuanced as far as digital proof is concerned—which could help catalyze the whole event: “I believe that defense prosecutors will be in a position to get judges involved [in this matter]. They will present security concerns, manipulated evidence concerns and it could be convincing. I believe a broad range of reactions will be available when it comes to how it happens in cases,” she said.
Vice News reports on Monday, Cellebrite reportedly released new updates to its products. The company claimed that the patches “were released to address a security vulnerability identified recently. The safety patch strengthens the solutions’ safeguards.” But Vice reports, too, that it “did not say specifically that the vulnerability addressed is the same as the one that Marlinspike revealed.”