Law enforcement officials in Detroit, Michigan are warning other police officers about an alleged iPhone change that causes Apple devices stored for forensic examination to spontaneously restart, reports 404 Media.
iPhones that are undergoing examination have apparently been rebooting, which makes them harder to unlock with brute force methods, and Michigan police think that it's due to a security feature that Apple added in iOS 18. A document found by 404 Media speculates that iPhones running iOS 18 are causing other iPhones to restart when those iPhones have been disconnected from a cellular network.
The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network. If the iPhone was in an After First Unlock (AFU) state, the device returns to a Before First Unlock (BFU) state after the reboot. This can be very detrimental to the acquisition of digital evidence from devices that are not supported in any state outside of AFU.
It is believed that the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.
After First Unlock, or AFU, denotes a device state where the owner has unlocked their device with a passcode or Face ID at least one time since it was powered on. It is easier for law enforcement to get into a device in AFU mode with iPhone unlocking tools from companies like Cellebrite. A restart apparently makes the process more difficult.
The digital forensics lab that noticed the issue had several iPhones in AFU state reboot, including iPhones in Airplane mode and one in a faraday box. Since a faraday box blocks all electronic signals from reaching a device, there wouldn't be a way for an iPhone running iOS 18 to communicate with an iPhone in a functional faraday box.
The police document speculates that this is "an iOS 18.0 security feature addition" because one device running iOS 18 also rebooted after a period of isolation and inactivity. Several other devices in the same area did not, however, restart, and there is no evidence that Apple has added a feature that causes older iPhones to reboot when in contact with an iPhone running iOS 18.
Law enforcement officials recommend isolating iOS 18 devices from other iPhones that are in an AFU state as further testing takes place.
The specific conditions that must exist for these reboots to occur is unknown and further testing and research would nee to be conducted to add more specifics to the new hurdle we are now faced with. What is known is that this new "feature" of some sort has increased the difficulty with forensically preserving digital evidence.
Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that the law enforcement officials' hypothesis about iOS 18 devices is "deeply suspect," but he was impressed with the concept.
"The idea that phones should reboot periodically after an extended period with no network is absolutely brilliant and I'm amazed if indeed Apple did it on purpose," he said.