Apple’s iOS 18 May Thwart Law Enforcement iPhone Hacking

U.S. law enforcement authorities are cautioning colleagues and forensic experts about a novel complication in handling iPhones held for forensic examination. According to an internal document obtained by 404 Media, devices previously seized and stored in isolated conditions are unexpectedly rebooting, complicating unlocking procedures and data extraction.

The cause of these sudden reboots remains unclear. The document, reportedly authored by Detroit law enforcement officials, suggests a theory that Apple may have introduced a new security feature in iOS 18. This hypothesis posits that iPhones may reboot after prolonged disconnection from cellular networks, rendering the devices more resistant to password-cracking and data extraction tools.

The document emphasizes the importance of informing colleagues about the situation, particularly concerning iPhones that reboot within a short time frame (potentially within 24 hours) when disconnected from cellular service. This is particularly relevant for devices stored in isolated conditions for forensic analysis. Apple has not yet commented on whether such a feature has been added to iOS 18.

Several iPhones held in a forensic lab in the After First Unlock (AFU) state have unexpectedly rebooted, losing this state. Devices in AFU are considered more accessible to law enforcement using specialized device-cracking tools. However, following a reboot, these iPhones reverted to the Before First Unlock (BFU) state, making data access impossible with current technology.

It is worth noting that back in April 2024, the mobile forensics company Cellebrite encountered a similar issue, where a significant portion of recent iPhones proved inaccessible to their cracking tools.

Reports indicate that three iPhones running iOS 18.0 arrived at the lab on October 3. Experts speculate that devices with iOS 18 may have exchanged signals with other iPhones in AFU storage. This connection may have triggered a reboot command for devices left inactive or off-network for extended periods. Theoretically, this could affect not only seized devices but also the personal phones of forensic experts if they are in close proximity.

The document concludes with a list of recommendations for labs handling data extraction. It advises isolating AFU devices from potential contact with iPhones running iOS 18. Laboratories are also encouraged to inventory existing devices and check for any unexpected reboots and AFU state loss.

With the release of iOS 18, Apple has taken another step to counter the used parts market from stolen devices. The activation lock feature now extends not only to the iPhone itself but also to major components like the battery, cameras, and display. This measure aims to prevent the resale of stolen parts, providing additional security to users.