Posted on by

FBI Accesses Journalist’s Signal Chats Due to Backdoor She Didn’t Think About, but iPhone Protected

Reading Time: 10 minutes.
An iPhone and a Mac with hand-drawn logos for Face ID and Touch ID, crossed out

Biometric login is your enemy

A Washington Post journalist, Hannah Natanson, found the FBI at her door. They were after her communication devices, and had a warrant to seize everything. They took her laptops, both her personal and work computers, her phone, even her Garmin watch. She had recently written about her role as the “federal government whisperer,” sharing the stories of those working in government who had their workplaces jarringly change under the Trump administration, and the worries they shared about its dark future.

It’s easy to believe the raid was in retaliation for her stories showing the Trump administration’s negative effects on government. It’s also hard to not see this as a threat to journalism in the United States. However, the FBI agents claim the raid was done to secure classified documents they believe could have been leaked to her. Still, the move was, as numerous other news organizations called it, aggressive, unusual, and a threat—intentional or otherwise—to our first amendment rights. Who will watch the watch dogs if they silence every observer?

The FBI was able to gain access to her accounts, despite her best efforts to secure them, through a security loophole she didn’t anticipate. Why would she have to? Our government doesn’t typically behave so antagonistically towards the press and free speech. But we live in different times. Here’s what happened, the mistake Natanson made, and how you can protest yourself.

An Unprecedented Search

“It is exceedingly rare, even in investigations of classified disclosures, for federal agents to search a reporter’s home. A 1980 law generally bars search warrants for reporters’ work materials, unless the reporters themselves are suspected of committing a crime related to the materials.”

– Benjamin Mullin, Devlin Barrett, Charlie Savage, and Erik Wemple, NY Times

Washington Post journalist Hannah Natanson was not suspected of committing any crimes. The reason for searching her electronic devices—or, at least, the reason she was given—was to find materials that someone else may have sent her. According to the “newspaper of record” (for whatever that’s worth anymore), this is “exceedingly rare.” That’s because, supposedly, in a case like this, the journalist in question would usually receive a subpoena for the information law enforcement is seeking. They’d receive warning and be able to prepare what they may have to hand over. The FBI did this for the Washington Post in this case, and did not raid their offices the way they did Natanson’s home. We don’t know yet if Natanson received the same subpoena or advanced notice.

Natanson had been fielding stories from government employees who lost faith in the government and the future of the country after Trump took over. Those reports dramatically changed Natanson’s life, turning her into the “federal government whisperer.” It also may have made her a target for “exceedingly rare” surprise searches.

“A government action this rare and aggressive signals a growing assault on independent reporting and undermines the First Amendment. It is intended to intimidate sources and chill journalists’ ability to gather news and hold the government accountable. Such behavior is more commonly associated with authoritarian police states than democratic societies that recognize journalism’s essential role in informing the public.”

– Tim Richardson, journalism and disinformation program director at PEN America

The point of the first amendment is to hold the government accountable for their actions. It’s the backbone of a democracy that people know what’s happening in their country and can make their own decisions. No country without complete free speech could ever be considered a democracy. However, the freedom of the press means nothing if everyone’s too afraid to write anything, if we’re too afraid to record police or write about protests, too afraid to talk to people fed up with working for a man like Trump. That’s why the department of justice is normally far more respectful of journalists; America doesn’t work without its constitution and Bill of Rights.

During President Biden’s term, using subpoenas and search warrants to get reporters’ sources by treating them as a possible criminal was blocked. Ms. Bondi, president Trump’s attorney general, reversed that guideline. This allows the government to act in bad faith, targeting a journalist as though they were a criminal and later not pursuing charges, as they aren’t for Ms. Natanson. If the DOJ’s goal was to intimidate journalists or collect Natanson’s sources, their hypothetical actions would not differ greatly from what they did.

“The administration may now be in possession of volumes of journalist communications having nothing to do with any pending investigation and, if investigators are able to access them, we have zero faith that they will respect journalist-source confidentiality.”

– Seth Stern, chief of advocacy at Freedom of the Press Foundation

The leaker in question, Aurelio Perez-Lugones, a systems administrator with top secret security clearance had been apprehended for retaining classified documents. Hannah Natanson has not been pursued for any crimes. Meanwhile, her thousands of contacts could be in danger if the DOJ wanted her laptop for more than the materials they’ve claimed to be searching for. While she was using encrypted drives, and used auto-deleting messages on Signal, they were able to gain access to her files through her work laptop. Her iPhone was protected by Lockdown mode, her personal laptop with a password, but her work laptop was using Touch ID, and they were able to compel her to unlock it with her fingerprint. In most cases, the government can always force us to give biometrics to unlock our devices.

Lockdown Mode Keeps iPhones Safe

Lockdown mode on Natanson’s iPhone made it a digital vault. The FBI wasn’t able to break into her iPhone, needing to use her work laptop to gain access to her Signal chats. Before we get into how you can prevent such a backdoor in your own security, let’s go over Lockdown Mode, and why you may not want to rush to enable it unless you need it.

Lockdown Mode disables parts of your iPhone that hackers frequently exploit. While Apple patches vulnerabilities they find, they are aware that some features are potential security holes. It’s kind of like how you know if someone broke into your house, their most likely entry point is a window, even though you lock them. We know the weak points in software, even if we don’t know of any active exploits for them.

Any time an external source could execute code on your machine you’ve created a potential vulnerability. Many come in through Javascript in browsers or messaging app hacks that take advantage of things like autoplay on gifs. That’s why Lockdown Mode turns off features that could be potential attack vectors. Messages won’t load inline media, websites may not work as expected or at all, FaceTime calls are blocked unless they meet certain guidelines regarding how frequently you talk to that person, SharePlay, Live Photos, Invitations, focus status, shared albums, and more just won’t work. 2G and 3G networks are blocked, as are automatic WiFi joining settings. Configuration profiles can’t be installed. There’s a lot more that you can read about on Apple’s site.

If you want to turn on Lockdown Mode, it’s quite easy, and you can do it on your iPhone, iPad, or Mac. If you have an Apple Watch synced to your iPhone, it will have Lockdown Mode turned on, however, turning it on any device will not turn it on across all of your devices.

  • Open Settings
  • Go to Privacy & Security
  • Scroll down to the bottom and select Lockdown Mode
  • Turn it on
  • Verify you want to activate it. Your device will restart

How did Lockdown Mode Almost Save the Day?

The FBI’s Computer Analysis Response team could not get into Natanson’s iPhone, stating Lockdown Mode kept them out. They were also not able to get into her MacBook because it was protected with a password. If she didn’t have any other devices, they’d have gotten nothing. However, her work laptop was secured with Touch ID, and they can compel people to authenticate their devices using biometrics like face scans and fingerprints when a judge has given them a warrant to search devices.

Signal has a feature that allows you to sync your account across multiple devices. While you need a phone to access the service, you can receive messages on other devices once you’ve authenticated them with your account. However, when you do this, the security on your Signal account is only as good as the security on your least secure device. Natanson synced her Signal chats with her work laptop, which was secured with only Touch ID. Her Signal chats would have been secured if not for that. Lockdown Mode almost protected her sources. Due to auto-delete settings, investigators won’t be able to get all the conversations and her thousands of contacts. But they’ll certainly be able to get some. That will discourage reporters from talking about what’s happening in Trump’s administration as well as make leakers feel less safe talking to journalists. One small mistake exposed potentially thousands of people.

Don’t make those kinds of mistakes if you have such valuable data on hand.

Turn off Biometrics on Your Computer and Tablet Now

Truth be told, when I read this story initially, I gasped. I had previously synced my Signal account to my Mac, which, at the time, could be unlocked via Touch ID. It’s not as though I have any information that would be valuable to anyone. I report on consumer tech in my spare time using other people’s reporting. From my journalistic standing, and by most other measures, I’m a nobody. Still, it was scary to think that I could have such a vulnerability in my tech. As it turned out, I had signed out, but if I hadn’t, I would have had the same backdoor as Natanson did into her account.

You don’t know when you’re going to be put at risk anymore. Our government threatens our very way of life. Something as simple as dropping your kids off at daycare has become potentially deadly with ICE out in Trump’s America. So, while you may have no data worth mentioning now, you could one day be subjected to being on the wrong end of the law, or a gun, through no fault of your own. On that day, you’ll probably wish you had taken critical security measures now.

The first and biggest is to turn off biometrics on your Mac. Your iPhone, Android phone, and iPad will have methods of quickly turning off your fingerprint sensor and encrypting the contents of your device. For some unknown reason, Apple never brought such a lock over to the Mac. So, until they do, turn off biometrics on your Macs. Apple has no good reason for not making a quick lockout method on their Macs. The best you can do is quickly shut your device down, because it will require a password after rebooting.

Emergency Biometrics Lockout

On your iPhone or iPad, you can actually keep it on, but you will be at a higher risk still. It’s best to turn biometrics off everywhere, but if you’re using a long password, and you should, then that can be annoying to enter as frequently as we have to for our phones. Here’s how to quickly lock down a few of your mobile devices:

iPhone:

  • Press the lock button 5 times quickly.
    • Note: this will start an emergency call, so be quick to cancel that before the countdown ends or you’ll call emergency services. You’ll have 8 seconds, more than enough time, as it pauses once you start the cancellation process
  • Press and hold the volume up and lock button
    • This will instantly lock your device without preparing your device to contact emergency services, but it is harder to do in a rush

iPad:

  • Pushing the lock button 5 times won’t help here. Instead, you’ve got to press a volume button and the lock button and hold them down until the slide to shut down screen comes up

Android:

  • Press and hold the lock button until the device menu comes up. Tap “Lockdown” on the menu

On your Mac, it’s not enough to stop using biometrics. You also have to enable FileVault. This is a whole device encryption that will protect your Mac. Apple does encourage users to enable it when they set up their Macs, and it may be the default option now for new Macs. However, if you want to check, open Settings and search for FileVault or go to Privacy & Security and find the FileVault option there. Make sure it’s enabled. You can also fully shut down your Mac by simply pressing the power button long enough. This ensures any keys that might be in memory are cleared out.

For Windows, you’ll have to use a third party encryption tool. You can use Microsoft’s Bitlocker, but if you allow it to sync with your Microsoft account, Microsoft will have your encryption keys, and they’re more than happy to hand those over. This isn’t something you have to worry about with Apple or even Google, it’s just Microsoft engaging in this scummy behavior.

Make Your iPhone and Signal More Secure

For the most part, you can just use Signal and you’ll be fine. However, if you’re worried about your security, some of the default settings, or possibly settings you changed, may open you up to vulnerabilities if someone is able to unlock your device. Of course, all of this is contingent on your first line of defense failing, but there’s no harm in preparing further defenses. Signal, out of the box, is far more secure than any other chat client you’ll be using. But here’s how to lock it down even more.

First, ensure you’re only syncing your account with devices you need it for. Signal makes it fast and easy to log into your account on another device, so you can always simply log out on your secondary devices and log back in later. While I have the Signal app on all my devices, only one of them has access to my account at a time. And any account that has access to your Signal should not have biometrics turned on, especially if you’re attending a protest or handling sensitive data.

Next, we’re going to want to look into your settings. The most important first step will be setting up a passcode for Signal. These kinds of passcodes, entered after your device is already unlocked, aren’t as secure, but it’s better than nothing. You can create a PIN in Signal from Settings > Account. Make sure you set up PIN reminders so you’ll have to enter it on occasion if you are using Face ID to unlock Signal.

In the Privacy settings, you’ll want to set up a variety of items. Turn off Read Receipts and Typing Indicators, there’s no use in sharing that information. Set Disappearing Messages up to delete your messages automatically after a week or more if you feel less confident about one week. This is especially important in group chats, and it greatly helped Natanson’s contacts. You’ll want to hide the screen in the app switcher, so no one can record your screen to gather information when your phone is in multitasking view, turn on screen lock, and set the screen lock timeout to either be instant or one minute.

Under advanced, turn on “Always Relay Calls,” as these can prevent your IP address from giving you away. Although, you should also be using a VPN service like Proton’s anyway, which is secure, encrypted, and doesn’t hand over data, not that it has any on your browsing habits.

Under Chats, turn off “generate Link Previews,” as these do get information from a website and may reveal information about you. Also turn off Share Contacts with iOS, so chats won’t be linked to your contacts, even if the numbers match, making them harder to identify, especially if they only reveal their screen name. Turn off “Use Phone Contact Photos” as well, to make them harder to identify. Obviously don’t use your full name or your own picture in your Signal profile.

You can also check the individual privacy settings for Signal in your iPhone’s Settings > Apps > Signal. There you can turn off access to Contacts, use limited access on your photos and select them every time you go to use it, and turn off camera or microphone settings if you never use calling or video chat. On Android, these are in Settings > Apps > See all Apps > Permissions. There you can turn off any permissions you’ve granted and no longer want it to have access to.

Remember, these are mostly tips for people who are attending protests, organizing, speaking to journalists or sources. You likely won’t need to do all of these. Still, if you can put up with it, you can secure your devices and your communications, and that just gives me a warm and fuzzy feeling, doesn’t it?

Be Less Trusting

Listen, I’m not telling you to go all tinfoil hat here. It takes a lot of effort, time, and money to track someone, and the government isn’t going to waste that on you unless you did something interesting enough, and, no, you probably didn’t. However, we live in a rather unfortunate political climate. Surveillance is getting scary. Many people woke up to this thanks to a Ring ad during the Super Bowl. With AI scanning everything and making deepfakes as well as the political climate of protests, mutual aid, and everything else we have to do to preserve democracy and our rights under the Trump regime, it makes sense to think a little bit more about your privacy and security. Lock down your devices and get used to asking yourself, “Could this expose my information to others? Do I need that kind of exposure?”

Spend more time thinking about your privacy and security now, or you may regret it later.

Sources: