Police Freak Out at iPhones Mysteriously Rebooting Themselves, Locking Cops Out

Law enforcement officers are warning other officials and forensic experts that iPhones which have been stored securely for forensic examination are somehow rebooting themselves, returning the devices to a state that makes them much harder to unlock, according to a law enforcement document obtained by 404 Media.

The exact reason for the reboots is unclear, but the document authors, who appear to be law enforcement officials in Detroit, Michigan, hypothesize that Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time. After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.

“The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network,” the document reads.

Apple did not provide a response on whether it introduced such an update in time for publication. Regardless, the reported iPhone reboots highlight the constant cat and mouse game between law enforcement officers and forensic experts on one side, and phone manufacturers Apple and Google on the other.

404 Media obtained the document from a mobile forensics source. 404 Media then corroborated the document with a second mobile forensics source, who confirmed they had seen the same document and sent a short snippet of it for verification purposes. 404 Media granted the sources anonymity to speak about sensitive industry developments.

The document says that a digital forensics lab had a number of iPhones in their forensics laboratory that were in an After First Unlock (AFU) state. AFU means that since the last time the device was powered on, someone (typically the owner) has unlocked the device with their passcode or similar at least once. Generally, law enforcement have an easier time accessing devices in an AFU state with specialized tools. This includes tools such as Cellebrite, according to documents 404 Media previously published which laid out Cellebrite’s unlocking capabilities.

“However, something had caused the devices to reboot, since their intake and they lost the AFU state,” the document says. This includes iPhones that were in Airplane mode, and even one that was inside a faraday box. A faraday box blocks electronic signals from reaching the device, such as wipe commands, and stops it from communicating with cellular networks.

Do you know anything else about this issue? Do you work in mobile forensics? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.

After the reboot, the devices entered a Before First Unlock (BFU) state, the document says. This made unlocking them significantly harder, and according to the document, cracking them is now not possible with current tooling.

The document says that three iPhones running iOS 18.0, the latest major iteration of Apple’s operating system, were brought into the lab on October 3. The law enforcement officials’ hypothesis is that “the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.” They believe this could apply to iOS 18.0 devices that are not just entered as evidence, but also personal devices belonging to forensic examiners.

“That is utterly bizarre and amazing,” Matthew Green, a cryptographer and associate professor at Johns Hopkins University, told 404 Media after being shown parts of the document. Green said he found the law enforcement officials’ hypothesis to be “deeply suspect,” though.

“The idea that phones should reboot periodically after an extended period with no network is absolutely brilliant and I’m amazed if indeed Apple did it on purpose,” he said.

The document ends with a set of recommendations for people trying to extract information from iPhones. “If a lab’s AFU devices have not been exposed to iOS 18 devices, take action to isolate those devices now before they do so. Labs should take a current inventory of their AFU devices and identify if any of them have rebooted and have lost their AFU states,” one recommendation reads.

The document concludes: “The issue needs to be communicated far and wide across the forensic and investigative realms for awareness, spread the word.”