Lawyer seeks new trial based on alleged cybersecurity flaws in phone-cracking product

  • Print.

smartphone cybersecurity

Image from Shutterstock.

A Maryland defense lawyer is seeking a new trial for his client after a blog post claimed that a product used by police to extract cellphone data has cybersecurity flaws.

Lawyer Ramon Rozas of Cumberland, Maryland, said he filed the new trial motion because the case against his client largely relied on evidence collected by the phone-cracking device, report Vice and Gizmodo.

The product is made by Israeli digital intelligence firm Cellebrite. In an April 21 blog post, the founder of encrypted chat app Signal said he was able to hack a Cellebrite device. Gizmodo and Vice had prior coverage of the blog post by Moxie Marlinspike, the founder and CEO of Signal.

According to Gizmodo’s summary of the blog post, Marlinspike “says that because of security flaws, someone could basically rewrite all of the data being collected by Cellebrite’s tools. Hypothetically, a uniquely configured file could be slipped into any app on a targeted device—allowing for the alteration of all of the data that has been or will be collected by Cellebrite’s software.”

Cellebrite has since sent out updates “to address a recently identified security vulnerability,” according to Gizmodo. The company did not say whether the vulnerability was the one discussed in the blog post.

Rozas’ motion cited the blog post about the security flaws. He is seeking a new trial, so the defense can examine the Cellebrite device and the report on the data it extracted.

Rozas told Gizmodo that, at one time, data extraction was used to gather evidence primarily in child pornography and drug cases. Now, he said, officers’ first move is to get cellphone evidence, in any kind of case.

Gizmodo spoke about the legal issues with Megan Graham, a clinical supervising attorney at the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley School of Law.

“I don’t know how likely it is that cases would be thrown out,” Graham told Gizmodo. A defendant already convicted would face the high hurdle of showing “that someone else identified this vulnerability and exploited it at the time,” she said.

Going forward, “it’s just hard to tell,” especially since it is unknown whether the vulnerability was being exploited, she said. But Graham does think there will be cases “where defense attorneys are able to get judges engaged” on the issue.

Give us feedback, share a story tip or update, or report an error.