BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story

Can The FBI Hack Into Private Signal Messages On A Locked iPhone? Evidence Indicates Yes

Following

Signal has become the de facto king of secure messaging apps of late, stealing users from WhatsApp and gathering millions of others looking for private forms of communication. That means the police and governments will be wanting, more than ever, to ensure they have forensic techniques to access Signal messages. Court documents obtained by Forbes not only attest to that desire, but indicate the FBI has a way of accessing Signal texts even if they’re behind the lockscreen of an iPhone.

The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York. (The suspects have not yet entered a plea and remain innocent until proven guilty). In the Signal chats obtained from one of their phones, they discuss not just weapons trades but attempted murder too, according to documents filed by the Justice Department. There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off. An iPhone in this state is more susceptible to having data inside extracted because encryption keys are stored in memory. Any hackers or hacking devices with the right iPhone vulnerabilities could then piece together keys and start unlocking private data inside the device.

For police to access private Signal messages from an iPhone, there are some other caveats besides a device needing to be in AFU mode. The iPhone in question appears to be either an iPhone 11 (whether Pro or Max) or a second generation iPhone SE. It’s unclear if the police can access private data on an iPhone 12. It’s also not clear what software version was on the device. Newer iOS models may have better security. Apple declined to comment, but pointed Forbes to its response to previous research regarding searches of iPhones in AFU mode, in which it noted they required physical access and were costly to do.

A Signal spokesperson said: “If someone is in physical possession of a device and can exploit an unpatched Apple or Google operating system vulnerability in order to partially or fully bypass the lock screen on Android or iOS, they can then interact with the device as though they are its owner.

“Keeping devices up-to-date and choosing a strong lock screen passcode can help protect information if a device is lost or stolen.”

Counsel for the defendant in the New York case didn’t respond to messages. The Justice Department said it couldn’t comment.

GrayKey vs. Cellebrite

Forensic exploitation of devices affects any encrypted communications app, from WhatsApp to Wickr, not just Signal. What is apparent is that the government has a tool that can bypass encryption to get into what most people would assume are private messages. The question remains: What is that tool? It’s likely to be one of two popular iPhone forensics tools used by the FBI: the GrayKey or the Cellebrite UFED.

GrayKey, a tool created by Atlanta-based startup Grayshift, has been an increasingly popular choice for the FBI. The agency has spent hundreds of thousands of dollars on acquiring the devices, which start in price from $9,995. When Forbes obtained a leaked recording of Grayshift CEO David Miles talking in mid-2019, he said that his company’s tech could get “almost everything” on an iPhone in AFU mode.

Vladimir Katalov, founder of Russian forensics company ElcomSoft, said he believed GrayKey was the tool in use in the New York case. “It uses some very advanced approach using hardware vulnerabilities,” he hypothesized. Grayshift hadn’t responded to a request for comment at the time of publication.

Cellebrite, an established Israeli forensics tech provider, has long served American law enforcement, as well as global police agencies. A spokesperson said it was Cellebrite policy “not to comment on specific customers or uses of our technology,” but added that “law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal by criminals who wish to communicate, send attachments and make illegal deals they want to keep discrete and out of sight from law enforcement.”

In December, Cellebrite indicated it had developed “advanced techniques” to bypass Signal encryption, though Signal issued a statement lambasting not just the company but media reports that had repeated Cellebrite’s claims. In a blog post, Signal said all Cellebrite had done was “parse Signal on an Android device they physically have with the screen unlocked.

“This is a situation where someone is holding an unlocked phone in their hands and could simply open the app to look at the messages in it. Their post was about doing the same thing programmatically (which is equally simple).”

When Signal cofounder Moxie Marlinspike commented on the Cellebrite claims in December, he called it “amateur hour.” Whatever tools the FBI used in the New York case, they’re far from amateur.

Follow me on TwitterCheck out my websiteSend me a secure tip