Pierluigi Paganini November 08, 2024

Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them harder to unlock, reported 404 Media.

Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them much harder to unlock, per a document obtained by 404 Media.

404 Media obtained the document from a mobile forensics source and verified it with another source.

The document notes that some iPhones in a forensics lab, including those in Airplane mode or a Faraday box, rebooted unexpectedly, losing their “After First Unlock” (AFU) state.

iPhones in an “After First Unlock” (AFU) can be accessed by law enforcement by using forensics tools like Cellebrite.

Once rebooted, the devices went into a Before First Unlock (BFU) state, which makes unlocking them much harder, as current tools can’t crack BFU iPhones. Three iPhones running iOS 18.0 were added to the lab on October 3, and officials hypothesize that these devices may have communicated with other iPhones in AFU mode, triggering a reboot if they were inactive or off-network. This could impact both evidence and personal devices running iOS 18.

This is the first time that this mysterious behaviour has been documented. The authors of the document appear to be law enforcement officials in Detroit. The experts believe a new security feature implemented in iOS 18 caused iPhones to reboot when disconnected from cellular networks.

“After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.” reported 404 Media.

“The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network,” reads the document seen by 404 Media. 

Below is the hypothesis reported in the document.

“It is believed that the iPhone devices powered on in the vault in AFU, that if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network. It is unclear what the exact settings are on the other AFU devices that did not reboot is there a difference in chipset, is their Bluetooth off or on, is auto-update off or on? However, the one (1) iOS 18.0 device that was isolated also reboot after a period of isolation and inactivity. This gives evidence to believe this is an iOS 18.0 security feature addition.”

The document recommends forensics labs to isolate AFU devices from iOS 18 devices to prevent unexpected reboots that erase the AFU state. It suggests taking inventory to check if any AFU devices have already rebooted.

Apple has not yet commented on the issue.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iPhones)