Cellebrite only claimed they had broken Signal to the extent that if they can break the phone (in particular the OS keystore) they can provide convenient access to the saved Signal data.
The context here is that Cellebrite provides a magic box that technically naive people can use to crack cellphones. So you hook up the box and you get what you get. Interpreting the data thus revealed is part of the service.
Interestingly enough, things that use a separate passphrase to protect the saved data are immune to a Cellebrite style attack. Since Signal relies on the security of the underlying device there is still a distinction that can be made here.
Another point that falls out of this is that Signal is more secure on systems with an unbroken hardware enclave. It is also more secure when you have it delete your old messages.
>Cellebrite’s details will make it easier for the Signal developers to patch the vulnerability.
There is no actual Signal vulnerability here so Signal has nothing to patch.
Unless I'm reading this wrong, it seems like they have access to your data if they have access to your device. That doesn't seem like a "breach" to me - if someone has an "end" in the end-to-end encryption scheme, they almost certainly can access the data. (I don't use Signal, so I may be missing something specific here that makes a difference.)
I would think all these infectionware companies bundle a lot of different attack strategies most or all of which are silly. Their goal as a business is bait and switch: they need to create enough PR of security experts saying they could have something, knowing any PR of good enough quality to raise eyebrows will get what is probably their only good attack fixed. By then the Orwellian Schools of America are buying and still get the cheesey leftovers in the bundle, so no refunds.
If you own the end device, end-to-end encryption is moot. Unless the key is not stored, but who cares about privacy enough to enter a 32-character password to unlock their chat?
The context here is that Cellebrite provides a magic box that technically naive people can use to crack cellphones. So you hook up the box and you get what you get. Interpreting the data thus revealed is part of the service.
Interestingly enough, things that use a separate passphrase to protect the saved data are immune to a Cellebrite style attack. Since Signal relies on the security of the underlying device there is still a distinction that can be made here.
Another point that falls out of this is that Signal is more secure on systems with an unbroken hardware enclave. It is also more secure when you have it delete your old messages.
>Cellebrite’s details will make it easier for the Signal developers to patch the vulnerability.
There is no actual Signal vulnerability here so Signal has nothing to patch.