Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Some forensics security firms. such as Cellebrite and Grayshift/GrayKey, developed platforms for the forensic investigation of mobile devices that allow extraction of sensitive information. In December, the Israeli security firm Cellebrite claimed that it can decrypt messages from the Signal highly secure messaging app.
The tools exploit both software and hardware vulnerabilities to extract data from mobile devices.
Investigators could extract data from iPhone devices in partial AFU mode because encryption keys are stored in memory and could be accessed using specific forensic tools.
At the time of this writing, it is unclear which model of iPhone was accessed by the FBI either the iOS version running on the device.
“The iPhone in question appears to be either an iPhone 11 (whether Pro or Max) or a second generation iPhone SE. It’s unclear if the police can access private data on an iPhone 12. It’s also not clear what software version was on the device. Newer iOS models may have better security.” continues Forbes. “Apple declined to comment, but pointed Forbes to its response to previous research regarding searches of iPhones in AFU mode, in which it noted they required physical access and were costly to do.”
A Signal spokesperson told Forbes that if someone is in physical possession of a device can exploit an unpatched Apple or Google operating system vulnerability to partially or fully bypass the lock screen, and then interact with the device.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, iPhone)