FBI Extracts Suspect's Deleted Signal Messages Saved In iPhone Notification Data (404media.co)
- Reference: 0181533014
- News link: https://mobile.slashdot.org/story/26/04/10/1656218/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-data
- Source link: https://www.404media.co/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2/
> The FBI was [1]able to forensically extract copies of incoming Signal messages from a defendant's iPhone , even after the app was deleted, because copies of the content were saved in the device's push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck. The news shows how forensic extraction -- when someone has physical access to a device and is able to run specialized software on it -- can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.
>
> "We learned that specifically on iPhones, if one's settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device," a supporter of the defendants who was taking notes during the trial told 404 Media. [...] During one day of the related trial, FBI Special Agent Clark Wiethorn testified about some of the collected evidence. A summary of Exhibit 158 published [2]on a group of supporters' website says, "Messages were recovered from Sharp's phone through Apple's internal notification storage -- Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)."
>
> 404 Media spoke to one of the supporters who was taking notes during the trial, and to Harmony Schuerman, an attorney representing defendant Elizabeth Soto. Schuerman shared notes she took on Exhibit 158. "They were able to capture these chats bc [because] of the way she had notifications set up on her phone -- anytime a notification pops up on the lock screen, Apple stores it in the internal memory of the device," those notes read. The supporter added, "I was in the courtroom on the last day of the state's case when they had FBI Special Agent Clark testifying about some Signal messages. One set came from Lynette Sharp's phone (one of the cooperating witnesses), but the interesting detailed messages shown in court were messages that had been set to disappear and had in fact disappeared in the Signal app."
Further reading: [3]Apple Gave Governments Data On Thousands of Push Notifications
[1] https://www.404media.co/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2/
[2] https://prairielanddefendants.com/court-notes/march-10-federal-trial-day-12/
[3] https://yro.slashdot.org/story/25/06/04/2135246/apple-gave-governments-data-on-thousands-of-push-notifications
Double whammy (Score:4, Interesting)
Sounds like they had two things going on. First was enabling the content to be part of the notifications themselves. Second was never actually clearing out the notifications. Just checked and I have a couple hundred uncleared notifications from my mom's front doorbell camera. I don't know what the actual limit is but it is definitely in the hundreds that iOS will maintain.
Re: Double whammy (Score:2)
As far as i understood the notifications are in the memory even if you clear them
Re: (Score:2)
The old rule of garbage collection: you can take the trash out but the can still stinks.
Know how to use your tech (Score:3)
If you want security, know how your technology works.
I'm Quite Impressed (Score:2)
From what I've seen, I would never have imagined that those chuckleheads would be clever enough to come up wit this discovery.
Client / End (Score:2)
I'll [1]say it again [slashdot.org], E2E doesn't matter very much if they control an end.
[1] https://it.slashdot.org/comments.pl?sid=23962688&cid=66087414
Re: (Score:2)
And the FBI apparently knows how to bite a shiny metal ass.
Re: Client / End (Score:1)
It very much does matter. If you and/or your recipient are careless, that doesn't somehow make the technology useless.
This is like saying secrets don't matter because somebody will eventually leak them anyways.
Re: (Score:3)
The statement "A chain is only as strong as its weakest link" doesn't devalue the chain nor value of individual strong links.
Uh (Score:2, Insightful)
> case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility
I don't see any crimes here - other than ICE being murderers.
Re: (Score:2)
Someone probably should have told you this already, but ICE wasn't involved in either of those shootings. Both were Border Patrol.
Have you gotten any other facts wrong?
Re: (Score:2)
> "I don't see any crimes here"
Then you need to educate yourself. It is pretty clearly a crime to vandalize property. And it is also a crime in many jurisdictions to set off fireworks. It is where I live. And directing them at people is clearly makes them a weapon.
And then there is the shooting (not these defendants) in which an officer (who was, unarmed, not that it matters) in the neck is beyond reason. It was a charge of attempted murder.
[1]https://www.justice.gov/usao-n... [justice.gov]
[1] https://www.justice.gov/usao-ndtx/pr/antifa-cell-members-convicted-prairieland-ice-detention-center-shooting
That just sounds like a dumb mistake (Score:2)
The default setting is to not show the content in the notification when the screen is locked. How dumb is to go to the trouble to use Signal, then change the settings to degrade the security.
Re: (Score:2)
I just checked my Android.
I have it set to not show sensitive info when locked.
But Signal now also has an option to show nothing, name, or name and content in a notification.
It appears to have defaulted to the least secure option.
There's that inherent tension between convenience and security and the Tyranny of the Default.
Incredible! (Score:3)
Can this technology be used to find the Epstein files?
Re: (Score:2)
Because we know that [1]important iPhones would never end up wiped. [militarytimes.com]
[1] https://www.militarytimes.com/news/pentagon-congress/2022/08/04/pentagon-reminds-everyone-not-to-wipe-their-phones/
Secure Design (Score:3)
It's reasonable to assume that if you erase an app on a mobile OS that the system will delete the app's data.
That ought to include any data stored in OS databases that is tagged with the app. It's not at all unreasonable to expect this. I suspect it's an oversight though Apple got weird after their standoff with the FBI over the "San Jose bomber". The GPU backdoor to read arbitrary system memory that Kaspersky found is an example.
Apple should make the change and really secure-erase the flash blocks that were being used. This can be done in the background and collected into the free block map later.
The best some people can do is trust their vendor but having a secret-source platform to trust makes it harder.
And, yes, it would not be surprising to learn Qualcomm and Samsung have similar 'features'.
Use protection (Score:1)
Don't use technology if you're going to screw around with the government. The government loves it when you use technology. At least use a burner phone FFS.
Re: (Score:2)
This isn't even a case where a burner phone would have helped, or device that should have been using a lock down mode. This is just a case where the guy shouldn't have had notifications enabled for Signal.
I wouldn't really consider this a hack or exploit, everything is working as designed. If you want something to stay secret, don't have that secret pop up as a notification on your phone.
Re: Use protection (Score:2)
Does it hold on to those notifications after they're dismissed, never to be seen again? If so, I'd consider that to be a bug.
Just sayin.
Re: (Score:2)
It is basically a case of using tech in a criminal context without understanding that tech. The OP is right that for most people the workaround is to not use tech. If you are a forensics expert for the tech you are using, you can probably do better. Otherwise, far too risky.