“The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short period of time (observations are possibly within 24 hours) when removed from a cellular network.”-Police document
The document was obtained by 404 Media from a mobile forensics source. The document was corroborated by a second mobile forensics source who had already seen the same document and sent 404 Media a small portion of it for verification purposes.
According to this document, a digital forensics lab had a number of iPhone units in After First Unlock (AFU) state. This means that since the last tine the phone was powered on, the device had been unlocked (presumably by the owner of the device) using a passcode at least once. It is easier for law enforcement to use password cracking tools like the Cellebrite machines to unlock an iPhone if it is in the AFU state.
After the reboot, these iPhone units went into a Before First Unlock (BFU) state and current technology prevents iPhones in this state from being cracked open wtih a Cellebrite or similar type of machine.
The document also has one hypothesis that states the iPhone models with iOS 18 installed communicated with other iPhone models held by the same forensic lab in a vault. That communication was a signal to other iPhone units not updated to iOS 18 in the AFU state telling them to reboot after being cut off a cellular network for a predetermined time period. This signal could come from iPhone devices running iOS 18 and later that are being used as evidence in police cases, but also with the personal iPhone models owned by forensic examiners that run iOS 18 and later.
The hypothesis from a leaked law enforcement document about iPhone units held for forensic analysis. | Image credit-404 Media
If true, this would be a brilliant move by Apple to enhance the security of iPhones being held by law enforcement. By having the units running iOS 18 and later held by law enforcement signal other iPhone models to reboot, even the personal iPhones owned by forensic examiners could be used to block police, the FBI, and other alphabet soup agencies unlock a person’s iPhone with the intent of running through the owner’s personal data looking for evidence.
“That is utterly bizarre and amazing. The idea that phones should reboot periodically after an extended period with no network is absolutely brilliant and I’m amazed if indeed Apple did it on purpose.”-Matthew Green, cryptographer, associate professor at Johns Hopkins University
The law enforcement document ended with a recommendation. Labs trying to extract data from iPhone units in the AFU state that have not yet been updated to iOS 18 should be isolated and not exposed to iPhone devices that have been updated to iOS 18 or later to prevent them from receiving the signal to reboot.
