from the phone-cracking-now-has-a-countdown-timer dept
Apple Snuck In Code That Automatically Reboots Idle IPhones And Cops Are Not Happy About It
by Tim Cushing · TechdirtDetroit law enforcement officials got a bit of shock last week when some seized iPhones rebooted themselves, despite being in airplane mode and, in one case, stored inside a Faraday bag. Panic — albeit highly localized — ensued. It was covered by Joseph Cox for 404 Media, who detailed not only the initial panic, but the subsequent responses to this unexpected development.
Law enforcement officers are warning other officials and forensic experts that iPhones which have been stored securely for forensic examination are somehow rebooting themselves, returning the devices to a state that makes them much harder to unlock, according to a law enforcement document obtained by 404 Media.
The exact reason for the reboots is unclear, but the document authors, who appear to be law enforcement officials in Detroit, Michigan, hypothesize that Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time. After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.
The problem (for the cops, not iPhone owners) is that the reboot takes the phone out of After First Unlock (AFU) state — a state where current phone-cracking tech can still be effective — and places it back into Before First Unlock (BFU) state, which pretty much renders phone-cracking tech entirely useless.
The speculation as to the source of these unexpected reboots was both logical and illogical. The logical assumption was that Apple had, at some point, added some new code to the latest iOS version without informing the public this new feature had been added.
The other guesses were just kind of terrible and, frankly, a bit worrying, considering their source: law enforcement professionals tasked with finding technical solutions to technical problems.
The law enforcement officials’ hypothesis is that “the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.” They believe this could apply to iOS 18.0 devices that are not just entered as evidence, but also personal devices belonging to forensic examiners.
These are phones, not Furbies. There needs to be some avenue for phone-to-phone communication, which can’t be achieved if the phones are not connected to any networks and/or stored in Faraday cages/bags. The advisory tells investigators to “take action to isolate” iOS 18 devices to keep them from infecting (I guess?) other seized phones currently awaiting cracking.
Fortunately, a day later, most of this advisory was rendered obsolete after actual experts took a look at iOS 18’s code. Some of those experts work for Magnet Forensics, which now owns Grayshift, the developer of the GrayKey phone cracker. This was also covered by Joseph Cox and 404 Media.
In a law enforcement and forensic expert only group chat, Christopher Vance, a forensic specialist at Magnet Forensics, said “We have identified code within iOS 18 and higher that is an inactivity timer. This timer will cause devices in an AFU state to reboot to a BFU state after a set period of time which we have also identified.”
[…]
“The reboot timer is not tied to any network or charging functions and only tied to inactivity of the device since last lock [sic],” he wrote.
It’s an undocumented feature in the latest version of iOS, apparently. And one that isn’t actually a bug dressed in “feature” clothing. This was intentional, as was Apple’s decision to keep anyone from knowing about until it was discovered, presumably. Apple has issued no statement confirming or denying the stealthy insertion of this feature.
Law enforcement officials and the tech contractors they work with aren’t saying much either. Everything published by 404 Media was based on screenshots taken from a law enforcement-only group chat or secured from a source in the phone forensics field. Magnet Forensic has only offered a “no comment,” along with the acknowledgement the company is aware this problem now exists.
This means iPhones running the latest iOS version will need to be treated like time bombs by investigators. The clock will start running the moment they remove the phones from the networks they use.
This isn’t great news for cops, but it’s definitely great news for iPhone owners. And not just the small percentage who are accused criminals. Everyone benefits from this. And the feature will deter targeting of iPhones by criminals, who are even less likely to be able to beat the clock with their phone-cracking tech. Anything that makes electronic devices less attractive to criminals is generally going to cause additional problems for law enforcement because both entities — to one degree or another — know the true value of a seized/stolen phone isn’t so much the phone itself as it is the wealth of information those phones contain.