UPDATE: A security researcher has investigated the situation and posted a note on Mastodon that the behavior described below is part of a new “inactivity reboot” feature in iOS 18.1 that automatically reboots phones that haven’t been unlocked in a while and has nothing to do with other iPhones being close by.
To be filed under, “say what now?” Detroit, Michigan police say Apple may have made a change in iOS 18 that causes iPhones with the latest version of Apple’s operating system installed to instruct nearby Apple devices stored for forensic examination to reboot, making it tougher to unlock the devices using brute force unlocking tools from companies like Cellebrite.
404 Media reports that police have released a document saying iPhones that are to be unlocked are instead rebooting, making it tougher to unlock them. The police believe the “feature” is one Apple added to iOS 18.
The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network. If the iPhone was in an After First Unlock (AFU) state, the device returns to a Before First Unlock (BFU) state after the reboot. This can be very detrimental to the acquisition of digital evidence from devices that are not supported in any state outside of AFU.
It is believed that the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.
When a device is in First Unlock, or AFU state, the device has been unlocked with a passcode or a biometric method, like Face ID or Touch ID since it was last turned on. A device that is in AFU mode is easier to unlocking using tools like those developed by Cellebrite and other companies. However, if a device is restarted and goes into Before First Unlock (BFU) the unlocking process is much more difficult.
The police digital forensics lab says several iPhones in an AFU state spontaneously rebooted, even iPhones that were in Airplane mode. One iPhone rebooted even though it was stored in a faraday box, which blocks electronic signals from reach a device. However, if a faraday box is properly constructed, an iPhone running iOS 18 would not be able to communicate with an iPhone stored in the box.
At least one device with iOS 18 installed rebooted after it was isolated and inactive, leading police to believe that this is a new security feature Apple added to it’s latest iPhone operating system. It should be noted that several other Apple devices stored in the same area did not reboot, which shoots down the cops’ theory of iOS 18 iPhones telling other devices to restart.
While the cops’ theories may be “out there” a bit, Michigan law enforcement officials still recommend keeping iPhones with iOS 18 installed away from any other iPhones that are in an AFU state, at least for now.
The specific conditions that must exist for these reboots to occur is unknown and further testing and research would nee to be conducted to add more specifics to the new hurdle we are now faced with. What is known is that this new “feature” of some sort has increased the difficulty with forensically preserving digital evidence.
Is Apple instructing iPhone with iOS 18 installed to send a reboot command to other devices? If not, it’s certainly a security feature that would be welcomed by several users, especially users who have iPhones in police evidence lockers.
