FBI Extracts Suspect's Deleted Signal Messages Saved In iPhone Notification Data (404media.co) 50
An anonymous reader quotes a report from 404 Media: The FBI was able to forensically extract copies of incoming Signal messages from a defendant's iPhone, even after the app was deleted, because copies of the content were saved in the device's push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck. The news shows how forensic extraction -- when someone has physical access to a device and is able to run specialized software on it -- can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.
"We learned that specifically on iPhones, if one's settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device," a supporter of the defendants who was taking notes during the trial told 404 Media. [...] During one day of the related trial, FBI Special Agent Clark Wiethorn testified about some of the collected evidence. A summary of Exhibit 158 published on a group of supporters' website says, "Messages were recovered from Sharp's phone through Apple's internal notification storage -- Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)."
404 Media spoke to one of the supporters who was taking notes during the trial, and to Harmony Schuerman, an attorney representing defendant Elizabeth Soto. Schuerman shared notes she took on Exhibit 158. "They were able to capture these chats bc [because] of the way she had notifications set up on her phone -- anytime a notification pops up on the lock screen, Apple stores it in the internal memory of the device," those notes read. The supporter added, "I was in the courtroom on the last day of the state's case when they had FBI Special Agent Clark testifying about some Signal messages. One set came from Lynette Sharp's phone (one of the cooperating witnesses), but the interesting detailed messages shown in court were messages that had been set to disappear and had in fact disappeared in the Signal app." Further reading: Apple Gave Governments Data On Thousands of Push Notifications
"We learned that specifically on iPhones, if one's settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device," a supporter of the defendants who was taking notes during the trial told 404 Media. [...] During one day of the related trial, FBI Special Agent Clark Wiethorn testified about some of the collected evidence. A summary of Exhibit 158 published on a group of supporters' website says, "Messages were recovered from Sharp's phone through Apple's internal notification storage -- Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)."
404 Media spoke to one of the supporters who was taking notes during the trial, and to Harmony Schuerman, an attorney representing defendant Elizabeth Soto. Schuerman shared notes she took on Exhibit 158. "They were able to capture these chats bc [because] of the way she had notifications set up on her phone -- anytime a notification pops up on the lock screen, Apple stores it in the internal memory of the device," those notes read. The supporter added, "I was in the courtroom on the last day of the state's case when they had FBI Special Agent Clark testifying about some Signal messages. One set came from Lynette Sharp's phone (one of the cooperating witnesses), but the interesting detailed messages shown in court were messages that had been set to disappear and had in fact disappeared in the Signal app." Further reading: Apple Gave Governments Data On Thousands of Push Notifications
Use protection (Score:3)
Re: (Score:3)
This isn't even a case where a burner phone would have helped, or device that should have been using a lock down mode. This is just a case where the guy shouldn't have had notifications enabled for Signal.
I wouldn't really consider this a hack or exploit, everything is working as designed. If you want something to stay secret, don't have that secret pop up as a notification on your phone.
Re: Use protection (Score:4, Insightful)
Does it hold on to those notifications after they're dismissed, never to be seen again? If so, I'd consider that to be a bug.
Just sayin.
Re: (Score:2)
It's not up to the app what happens to the notification once it hands it to iOS. That's why signal has an option not to put the plain text in the notification.
Re: Use protection (Score:1)
That's exactly what I'm referring to
Re: (Score:2)
It is basically a case of using tech in a criminal context without understanding that tech. The OP is right that for most people the workaround is to not use tech. If you are a forensics expert for the tech you are using, you can probably do better. Otherwise, far too risky.
Re: (Score:2)
KISS definitely applies to criminals as much as systems engineering.
It applies to keeping any attackers out.
Re: Use protection (Score:2)
Thatâ(TM)s how many people misunderstand privacy laws: They are intended to protect innocent citizens, not criminals. Like it is 100% intended that police needs a search warrant to search the home of an innocent citizen. And to avoid searches of innocent citizens without a warrant, they are punished by not being able to use the results of an illegal search of a crimi
Re: (Score:2)
Your tust in the authorities is endearing but utterly naive. Privacy laws serve as a second line of defense against the authorities and are direly needed. Hence you are completely wrong. I guess you have never looked at or never understood how a surveillance society or a police state gets established.
Re: (Score:1)
> I wouldn't really consider this a hack or exploit, everything is working as designed.
Or, and hear me out on this, the design is stupid...
All notification content going through apple in plain text is stupid. (google is the same). All that because you're not allowed to keep a persistent TCP connection as an app.
Re:Use protection (Score:5, Informative)
All notification content going through apple in plain text is stupid. (google is the same). All that because you're not allowed to keep a persistent TCP connection as an app.
Keeping a persistent TCP connection would obliterate your battery. If any app could just do that everyone's phone would be dying all the time because some opaque (to the user) process was holding a connection and keeping the radio warmed up even when their phone is sleeping in their pocket. The only sane way is to have a system process wake the phone up a pre-defined sane intervals and pick up all the messages at once in a batch.
Also, you are wrong message bodies aren't going through Apple's servers in plain text. When signal has pending messages for a user, the signal message server sends an empty "ping" notification for the signal user to Apple. iOS notification service delivers the notification to signal. Signal then wakes up and picks up the encrypted message from the cloud, decrypts it, and pops a notification containing the plain text.
It's these decrypted messages in the local iOS notification queue that the FBI recovered, NOT the cloud notifications, which contain no sensitive information . You can tell signal not to put the decrypted message in the notification. You can have it instead say "Message from <contact_name>" or just "New messages" or nothing at all.
You don't need to take my word for it, the app is open source. You can see the notification handling code here:
https://github.com/signalapp/S... [github.com]
You can see it does nothing with the actual notification content received from Apple's notification service. It's just an empty message used to wake the app up whcih then fires off some async jobs to fetch the actual messages.
Re: (Score:2)
> Keeping a persistent TCP connection would obliterate your battery.
A couple years back I tested k9-mail and Conversations.im that keep a persistent connection (F-droid), and there was zero battery life difference. So it can be done. Yes, it was just 2 programs, and they weren't vibe coded shopping apps.
Also as steward of the TCP stack, the OS can do a lot of work on that front.
I wil keep arguing that killing IMAP IDLE support, and requiring all email providers to support proprietary cloud stacks in orde
Re: (Score:2)
When signal has pending messages for a user, the signal message server sends an empty "ping" notification for the signal user to Apple. iOS notification service delivers the notification to signal. Signal then wakes up and picks up the encrypted message from the cloud, decrypts it, and pops a notification containing the plain text.
Wait what...? So any messenger app has to go through Apple, Google or perhaps even Samsung to get a message delivered to a phone? Or is this just Apple specific?
Re: (Score:1)
Double whammy (Score:5, Interesting)
Sounds like they had two things going on. First was enabling the content to be part of the notifications themselves. Second was never actually clearing out the notifications. Just checked and I have a couple hundred uncleared notifications from my mom's front doorbell camera. I don't know what the actual limit is but it is definitely in the hundreds that iOS will maintain.
Re: Double whammy (Score:3)
Re: (Score:3)
Know how to use your tech (Score:5, Insightful)
I'm Quite Impressed (Score:1)
From what I've seen, I would never have imagined that those chuckleheads would be clever enough to come up wit this discovery.
Client / End (Score:2)
Re: (Score:2)
Re: Client / End (Score:1)
It very much does matter. If you and/or your recipient are careless, that doesn't somehow make the technology useless.
This is like saying secrets don't matter because somebody will eventually leak them anyways.
Re: (Score:3)
Uh (Score:2, Insightful)
case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility
I don't see any crimes here - other than ICE being murderers.
Re: (Score:2)
Have you gotten any other facts wrong?
Re: (Score:2)
A fed is a fed. I see no reason to give two shits... or even just one shit... about how the trumpscum choose to organize and subdivide themselves or what particular costumes they wear. Those people goosestep under the banner of trump. And that is all I need to know about any or all of them.
Re: (Score:2)
>"I don't see any crimes here"
Then you need to educate yourself. It is pretty clearly a crime to vandalize property. And it is also a crime in many jurisdictions to set off fireworks. It is where I live. And directing them at people is clearly makes them a weapon.
And then there is the shooting (not these defendants) in which an officer (who was, unarmed, not that it matters) in the neck is beyond reason. It was a charge of attempted murder.
https://www.justice.gov/usao-n... [justice.gov]
Re: (Score:2)
Just think if those resources could be used to find a person with 34 felony convictions still walking free.
That just sounds like a dumb mistake (Score:3)
The default setting is to not show the content in the notification when the screen is locked. How dumb is to go to the trouble to use Signal, then change the settings to degrade the security.
Re: (Score:3)
I just checked my Android.
I have it set to not show sensitive info when locked.
But Signal now also has an option to show nothing, name, or name and content in a notification.
It appears to have defaulted to the least secure option.
There's that inherent tension between convenience and security and the Tyranny of the Default.
Incredible! (Score:3)
Can this technology be used to find the Epstein files?
Re: (Score:2)
Re: Incredible! (Score:1)
Secure Design (Score:3)
It's reasonable to assume that if you erase an app on a mobile OS that the system will delete the app's data.
That ought to include any data stored in OS databases that is tagged with the app. It's not at all unreasonable to expect this. I suspect it's an oversight though Apple got weird after their standoff with the FBI over the "San Jose bomber". The GPU backdoor to read arbitrary system memory that Kaspersky found is an example.
Apple should make the change and really secure-erase the flash blocks that were being used. This can be done in the background and collected into the free block map later.
The best some people can do is trust their vendor but having a secret-source platform to trust makes it harder.
And, yes, it would not be surprising to learn Qualcomm and Samsung have similar 'features'.
Re: (Score:2)
When you delete an app it tells you all the data will be deleted too. Apparently not.
They should try using pagers to communicate (Score:1)
As a developer (Score:2)