iPhone forensics: iOS 18 devices may trigger protection reboots
According to a report, investigators in the USA are increasingly noticing that seized iPhones are suddenly rebooting. Is this intentional on Apple's part?
(Image: Sebastian Trepesch)
A phenomenon that emerged with iOS 18, whereby iPhones restart automatically in forensic laboratories, is apparently making the work of US law enforcement authorities increasingly difficult. According to a media report by 404 Media, investigators suspect that Apple may have implemented a new security function in the version of the iPhone operating system released in September. Due to the unintentional restarts, seized devices are currently much more difficult for investigators to unlock. The report refers to anonymous sources and quotes from circulating tip-offs.
The reboot puts the affected devices into a secure mode. The investigators differentiate between two states: "After first unlock" (AFU) and "Before first unlock" (BFU). Anyone restarting an iPhone cannot unlock the device the first time using biometric methods such as Face ID or Touch ID, but must enter their device code once. Investigators and forensic experts call this state BFU. AFU, on the other hand, means that the user of the device from which it was recovered has already unlocked the iPhone once after the last restart.
The phenomenon has been occurring since iOS 18
Since the release of iOS 18, it has been observed more and more frequently that devices suddenly restart in labs and switch to BFU mode after a long period without a mobile connection. This apparently means that iPhones are also better protected against unlocking attempts using special devices, such as those offered by the company Cellebrite. There are also speculations that other devices in the vicinity could play a role in this – similar to the function of the Wo-ist network, where devices such as the AirTags use nearby iPhones and iPads to communicate their location via the network.
However, the fact that the phenomenon has also been observed on devices in airplane mode suggests that this is a function that originates from the iPhone alone. Shielding in Faraday containers also showed no change.
Videos by heise
Not an official feature
Apple itself has not yet made any statements on whether there is a new security function. However, this would not be surprising, as Apple and US investigators have been engaged in a cat-and-mouse game for many years, with Apple continuing to improve its devices in terms of security for of its users and investigators playing catch-up with the help of special service providers. Apple's precautions have also led to open conflicts in the past because investigators felt that their work was being hindered.
(mki)
