Thursday, April 2, 2015

Cyber Dust Privacy Claims Debunked



April 2, 2015

Cyber Dust Privacy Claims Debunked

One of the most popular experiments we’ve performed, and associated blog articles we’ve written, through the first quarter of 2015 was our testing of “private” mobile app, Cyber Dust.  In fact, as of the publication of this article, that blog alone has garnered over 1600 views and climbing.  This is due in part to the popularity of the app, the consumer push for user privacy, the marketing efforts of app bank-roller Mark Cuban, a Cyber Dust Podcast interview we did with a big fan of the app and some feverish tweeting on our behalf.  But some recent updated and more in-depth testing by Heather Mahalik has brought up even more questions about the privacy claims of this app.  At this point, it’s probably safe to say the initial claims of the app’s privacy were very much false, calling into question any future claims the app developers may put forth about future iterations of the app.

Review

For those of you who may not have read our previous article about light forensic testing we performed on Cyber Dust (linked here: http://prodigital4n6.blogspot.com/2015/01/searching-for-artifacts-in-private.html) and in the interests of full disclosure, we’ll provide a brief review of what took place earlier this year, both by Pro Digital examiners and Heather Mahalik of SANS.

In December of 2014, I became aware about the mobile app Cyber Dust through the marketing efforts of Mark Cuban and my role as a digital forensic examiner.  Cuban was tweeting about the app’s privacy and we had this brief exchange on twitter subsequently:

Twitter conversation between @Prodigital4n6 and @mcuban from December, 2014


Putting Cuban’s ignorance about mobile data storage aside (in fairness, he may have been using “hard drive” as a layman’s term), I decided to take him up on what I saw as a definite forensic challenge to see if any artifacts could be recovered.
Long story short, we were able to recover some artifacts through some very basic controlled testing, including user names such as Cuban’s public user name on Cyber Dust and dictionary entries which translated to message strings typed into the device on an Android Smart Phone.  While these artifacts weren’t a direct indictment of Cuban’s claims, they certainly led to the conclusion that the app itself may be private, but the platform on which the app is installed will also have great bearing on what, if any, artifacts are recoverable.

Updated Findings

As I learned during a SANS webcast in March, SANS FOR585 Instructor & mobile forensic guru, Heather Mahalik performed some even more in-depth testing on a more recent version of the app and found much more.  As you can see in the SANS webcast linked here (https://www.sans.org/webcasts/smartphone-security-stronger-forensic-methods-weaker-99887) Heather was able to recover full message text that was double-encoded in base 64.  The translation of this double-encoding was simple and proved that the claim that “it never touches a hard drive anywhere” is simply not true.  Certain messages – perhaps all messages – are stored locally on the device.  They’re just not viewable in Unicode or ASCII as one would search for, thus requiring a trained forensic examiner to take some extra steps to translate the messages, but rest assured, they’re there! 

The responses both Heather and I received from Cyber Dust developers became aware of these findings were curious at best.  To paraphrase, the explanation was given that Heather’s tests were performed on an earlier version of the app in which the data was not encrypted.  The developer(s) insisted the same data is now encrypted in the current versions of the app and therefore, not recoverable.  Methinks they’re missing the point.
 
Take-Aways

I’d like to think the developers of Cyber Dust were simply unaware the curious contrarians like me, Heather Mahalik and other mobile forensicators wouldn’t put Cyber Dust through its paces, but that’s what we do.  Tell us we can’t find it and we’ll look through the weeds as long as we need to in order to find it and Heather certainly did just that.  What’s more disturbing and, arguably almost fraudulent is that Mark Cuban has repeatedly pushed forth in the media that the reason he bank-rolled Cyber Dust is so users could have complete privacy from both corporations and the government.  Indeed, his impetus for bank-rolling the app was a lengthy SEC investigation in which his emails, text messages & other electronic communications were requested as part of discovery in the case.  These tests have shown that, whether in government or in the private sector, there exists forensic examiners with the ability to recover messages stored within the Cyber Dust app, further disputing the claim that the data doesn’t get stored anywhere. 

The updated app may have encrypted the data that Heather recovered, but that still doesn’t address the fact that the data IS stored on the device.  And the fact that the data IS stored on the device, whether encrypted or not, is a direct contradiction to Cuban’s claims that the data “doesn’t touch a hard drive anywhere”.  The replies from Cyber Dust developers overlooks this contradiction and really doesn’t address it at all. 

Moving forward, Cyber Dust has some issues with it’s users who are truly interested in data privacy.  Now that Cuban’s claim(s) have been proven completely false, how are users supposed to believe claims of future privacy?  Are Cyber Dust developers simply preying on their user’s ignorance of technical terms like double-encoding and encryption?  And what if the alleged new encryption algorithm they’re using in current versions is cracked, thus allowing examiners to recover messages as Heather Mahalik did? Can the developers ever get to a place where no messages are stored on the device? 

These are all serious questions Cyber Dust, the developers and even Mark Cuban himself need to answer before they will be able to restore any faith in their app’s privacy.  Don’t forget, roughly the same thing happened to Snap Chat when they claimed nothing was saved.  Is the same fate in store for Cyber Dust? 
Only time will tell…

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: ProDigital4n6

Note:  While much of the forensic work in this article was conducted by Heather Mahalik, please note, she is not an author of this blog.  Her forensic work on Cyber Dust was cited to reinforce the statements made in this article.


UPDATE:
Yes, this is an update to an update...
Shortly after posting this article and tweeting the link to Mr. Cuban, I received this email from an address reportedly belonging to Mark Cuban:


At this time, no reply has been sent.  It is interesting that the "f word" was cited in the email.  In the attempt to give more benefit of the doubt to Cuban and the developers of Cyber Dust, I edited the phrase "...almost fraudulent" to "arguably almost fraudulent".

When writing these articles, I make every effort to be transparent and objective within the subject matter (yes, I edited Mr. Cuban's email address for his privacy), but as a trained investigator, forensic examiner and former law enforcement officer, it's been ingrained in me, and those in the field, to seek facts and point them out, no matter who likes them or how popular they may be.

As far as good business, I won't argue with a billionaire about what is or is not good business.  I'll only state that in every contact with every client, we are as honest, truthful, forthright and pragmatic as possible, even if it means doing so doesn't earn their business.  Maybe that will end up being a bad business model, but it's worked pretty good so far and I will continue to push forward the Pro Digital model of business integrity as long as I own the company.  If you're interested in our Mission Statement, you may read it at: http://www.prodigital4n6.com/about.html

Thanks for your continued readership.
Verital et. Aequitas

-Patrick Siewert