FBI Extracts Signal Messages from iPhone via Notification Database

The FBI extracted incoming Signal messages from a defendant's iPhone by accessing the device's push notification database, a method that circumvents the app's encryption by targeting a system-level iOS feature.

According to a report by 404 Media, the technique was revealed during a criminal trial. The vulnerability is not exclusive to the Signal messaging application but exploits a common iOS function that stores notification previews.

The Investigation and Data Recovery

The data extraction occurred during an FBI investigation into a group allegedly involved in vandalism and setting off fireworks at the ICE Prairieland Detention Facility. An officer was reportedly shot in the neck during the incident.

Investigators recovered incoming Signal messages from the defendant's iPhone despite two significant factors: the user had deleted the Signal application, and the messages were configured to disappear within the app.

The FBI obtained the messages from the iPhone's internal push notification database. It is important to note that this method did not allow for the recovery of the defendant's outgoing Signal messages.

Technical Explanation of the Method

Signal uses end-to-end encryption (E2EE), which secures messages during transmission so that only the sender and intended recipients can read them.

The FBI's access method circumvented the app's encryption by targeting a different data source. Here is how it works:

• When an application has permission to display previews on an iPhone's Lock Screen, the iOS operating system saves copies of those notification previews to the device's internal memory.
• This creates a separate database of notification content, isolated from the application itself.
• This vulnerability applies to any application with permission to show alert content on the Lock Screen, which could include other messaging apps, text alerts, news bulletins, and reminders.

User Mitigation and Settings

Signal includes application settings that allow users to control what information appears in notifications. To prevent message content from being stored in the iOS notification database, users can adjust their settings.

To block all message data from alerts, users should select the "No Name or Content" option within Signal's notification settings.

Here are the steps:

1. Open the Signal application.
2. Tap your profile icon.
3. Select "Settings."
4. Navigate to "Notification Content."
5. Select the "No Name or Content" option.

An alternative setting, "Name Only," will display the sender's identity but not the content of the message in notifications.