April 2, 2015
Cyber Dust Privacy Claims Debunked
One of the most popular experiments we’ve performed, and
associated blog articles we’ve written, through the first quarter of 2015 was
our testing of “private” mobile app, Cyber Dust. In fact, as of the publication of this
article, that blog alone has garnered over 1600 views and climbing. This is due in part to the popularity of the
app, the consumer push for user privacy, the marketing efforts of app
bank-roller Mark Cuban, a Cyber Dust Podcast interview we did with a big fan of
the app and some feverish tweeting on our behalf. But some recent updated and more in-depth
testing by Heather Mahalik has brought up even more questions about the privacy
claims of this app. At this point, it’s
probably safe to say the initial claims of the app’s privacy were very much
false, calling into question any future claims the app developers may put forth
about future iterations of the app.
Review
For those of you who may not have read our previous article
about light forensic testing we performed on Cyber Dust (linked here: http://prodigital4n6.blogspot.com/2015/01/searching-for-artifacts-in-private.html)
and in the interests of full disclosure, we’ll provide a brief review of what
took place earlier this year, both by Pro Digital examiners and Heather Mahalik
of SANS.
In December of 2014, I became aware about the mobile app
Cyber Dust through the marketing efforts of Mark Cuban and my role as a digital
forensic examiner. Cuban was tweeting
about the app’s privacy and we had this brief exchange on twitter subsequently:
 |
| Twitter conversation between @Prodigital4n6 and @mcuban from December, 2014 |
Putting Cuban’s ignorance about mobile data storage aside
(in fairness, he may have been using “hard drive” as a layman’s term), I
decided to take him up on what I saw as a definite forensic challenge to see if
any artifacts could be recovered.
Long story short, we were able to recover some artifacts
through some very basic controlled testing, including user names such as
Cuban’s public user name on Cyber Dust and dictionary entries which translated
to message strings typed into the device on an Android Smart Phone. While these artifacts weren’t a direct
indictment of Cuban’s claims, they certainly led to the conclusion that the app
itself may be private, but the
platform on which the app is installed will also have great bearing on what, if
any, artifacts are recoverable.
Updated Findings
As I learned during a SANS webcast in March, SANS
FOR585 Instructor & mobile forensic guru, Heather Mahalik performed
some even more in-depth testing on a more recent version of the app and found
much more. As you can see in the SANS
webcast linked here (https://www.sans.org/webcasts/smartphone-security-stronger-forensic-methods-weaker-99887)
Heather was able to recover full message text that was double-encoded in base
64. The translation of this double-encoding
was simple and proved that the claim that “it never touches a hard drive
anywhere” is simply not true. Certain
messages – perhaps all messages – are stored locally on the device. They’re just not viewable in Unicode or ASCII
as one would search for, thus requiring a trained forensic examiner to take
some extra steps to translate the messages, but rest assured, they’re
there!
The responses both Heather and I received from Cyber Dust
developers became aware of these findings were curious at best. To paraphrase, the explanation was given that
Heather’s tests were performed on an earlier version of the app in which the
data was not encrypted. The developer(s)
insisted the same data is now encrypted in the current versions of the app and
therefore, not recoverable. Methinks
they’re missing the point.
Take-Aways
I’d like to think the developers of Cyber Dust were simply
unaware the curious contrarians like me, Heather Mahalik and other mobile
forensicators wouldn’t put Cyber Dust through its paces, but that’s what we
do. Tell us we can’t find it and we’ll
look through the weeds as long as we need to in order to find it and Heather
certainly did just that. What’s more
disturbing and, arguably almost fraudulent is that Mark Cuban has repeatedly
pushed forth in the media that the reason he bank-rolled Cyber Dust is so users
could have complete privacy from both corporations and the government. Indeed, his impetus for bank-rolling the app
was a lengthy SEC investigation in which his emails, text messages & other
electronic communications were requested as part of discovery in the case. These tests have shown that, whether in
government or in the private sector, there exists forensic examiners with the
ability to recover messages stored within the Cyber Dust app, further disputing
the claim that the data doesn’t get stored anywhere.
The updated app may have encrypted the data that Heather
recovered, but that still doesn’t address the fact that the data IS
stored on the device. And the fact that
the data IS stored on the device, whether encrypted or not, is a direct
contradiction to Cuban’s claims that the data “doesn’t touch a hard drive
anywhere”. The replies from Cyber Dust
developers overlooks this contradiction and really doesn’t address it at
all.
Moving forward, Cyber Dust has some issues with it’s users
who are truly interested in data privacy.
Now that Cuban’s claim(s) have been proven completely false, how are
users supposed to believe claims of future privacy? Are Cyber Dust developers simply preying on
their user’s ignorance of technical terms like double-encoding and
encryption? And what if the alleged new
encryption algorithm they’re using in current versions is cracked, thus
allowing examiners to recover messages as Heather Mahalik did? Can the
developers ever get to a place where no messages are stored on the device?
These are all serious questions Cyber Dust, the developers
and even Mark Cuban himself need to answer before they will be able to restore
any faith in their app’s privacy. Don’t
forget, roughly the same thing happened to Snap Chat when they claimed nothing
was saved. Is the same fate in store for
Cyber Dust?
Only time will tell…
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
Twitter: ProDigital4n6
Note: While much of the forensic work in this article was conducted by Heather Mahalik, please note, she is not an author of this blog. Her forensic work on Cyber Dust was cited to reinforce the statements made in this article.
UPDATE:
Yes, this is an update to an update...
Shortly after posting this article and tweeting the link to Mr. Cuban, I received this email from an address reportedly belonging to Mark Cuban:
At this time, no reply has been sent. It is interesting that the "f word" was cited in the email. In the attempt to give more benefit of the doubt to Cuban and the developers of Cyber Dust, I edited the phrase "...almost fraudulent" to "arguably almost fraudulent".
When writing these articles, I make every effort to be transparent and objective within the subject matter (yes, I edited Mr. Cuban's email address for his privacy), but as a trained investigator, forensic examiner and former law enforcement officer, it's been ingrained in me, and those in the field, to seek facts and point them out, no matter who likes them or how popular they may be.
As far as good business, I won't argue with a billionaire about what is or is not good business. I'll only state that in every contact with every client, we are as honest, truthful, forthright and pragmatic as possible, even if it means doing so doesn't earn their business. Maybe that will end up being a bad business model, but it's worked pretty good so far and I will continue to push forward the Pro Digital model of business integrity as long as I own the company. If you're interested in our Mission Statement, you may read it at: http://www.prodigital4n6.com/about.html
Thanks for your continued readership.
Verital et. Aequitas
-Patrick Siewert
Yes, this is an update to an update...
Shortly after posting this article and tweeting the link to Mr. Cuban, I received this email from an address reportedly belonging to Mark Cuban:
At this time, no reply has been sent. It is interesting that the "f word" was cited in the email. In the attempt to give more benefit of the doubt to Cuban and the developers of Cyber Dust, I edited the phrase "...almost fraudulent" to "arguably almost fraudulent".
When writing these articles, I make every effort to be transparent and objective within the subject matter (yes, I edited Mr. Cuban's email address for his privacy), but as a trained investigator, forensic examiner and former law enforcement officer, it's been ingrained in me, and those in the field, to seek facts and point them out, no matter who likes them or how popular they may be.
As far as good business, I won't argue with a billionaire about what is or is not good business. I'll only state that in every contact with every client, we are as honest, truthful, forthright and pragmatic as possible, even if it means doing so doesn't earn their business. Maybe that will end up being a bad business model, but it's worked pretty good so far and I will continue to push forward the Pro Digital model of business integrity as long as I own the company. If you're interested in our Mission Statement, you may read it at: http://www.prodigital4n6.com/about.html
Thanks for your continued readership.
Verital et. Aequitas
-Patrick Siewert
