Law enforcement officials warn that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them much more challenging to unlock, per a document obtained by 404 Media. 404 Media obtained the document from a mobile forensics source and verified it with another source. The document notes that some iPhones in a forensics lab, including those in Airplane mode or a Faraday box, rebooted unexpectedly, losing their “After First Unlock” (AFU) state. iPhones in an “After First Unlock” (AFU) can be accessed by law enforcement by using forensics tools like Cellebrite.
Once rebooted, the devices went into a Before First Unlock (BFU) state, which makes unlocking them much harder, as current tools can’t crack BFU iPhones. Three iPhones running iOS 18.0 were added to the lab on 03 October 2024, and officials hypothesize that these devices may have communicated with other iPhones in AFU mode, triggering a reboot if they were inactive or off-network. This could impact both evidence and personal devices running iOS 18.
This is the first time that this mysterious behavior has been documented. The document's authors appear law enforcement officials in Detroit, MI, USA. Experts believe a new security feature implemented in iOS 18 caused iPhones to reboot when disconnected from cellular networks. “After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone,” reported 404 Media. “The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network,” reads the document seen by 404 Media.
The following is the hypothesis reported in the document: It is believed that the iPhone devices powered on in the vault in AFU if conditions were available, communicate with the other devices powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off-network. It is unclear what the exact settings are on the other AFU devices that did not reboot is there a difference in chipset, is their Bluetooth off or on, is auto-update off or on? However, the one (1) iOS 18.0 device that was isolated also rebooted after a period of isolation and inactivity. This gives evidence to support the idea that this is an iOS 18.0 security feature addition.
The document recommends that forensics labs isolate AFU devices from iOS 18 devices to prevent unexpected reboots that erase the AFU state. It also suggests taking inventory to check if any AFU devices have already rebooted.
Apple has not yet commented on the issue.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments