Recent reports reveal that law enforcement officials are encountering issues with newer iPhone models, particularly those running iOS 18 or later when used as evidence in criminal investigations. Certain iPhones in police custody are observed to reboot automatically, which disrupts law enforcement’s efforts to unlock the devices using brute-force passcode-cracking tools like Cellebrite.
This automatic reboot limits the time law enforcement has to access data on the device by shifting it to a more secure state, making it increasingly difficult to gather potential evidence stored within the phone.
In addition to new iPhones with iOS 18, older iPhone models held by law enforcement are also reportedly affected. These devices appear to be receiving signals from newer iPhones, which trigger them to reboot as well.
The rebooting process shifts iPhones from the “After First Unlock” (AFU) state, in which data is more accessible, back to the “Before First Unlock” (BFU) state, where the device is harder to unlock and access for evidence. This shifting process is reportedly intentional, with forensic expert Christopher Vance identifying an inactivity timer in iOS 18 that initiates a reboot after a certain period of time to further secure the device.
The AFU state is significant for law enforcement because, in this state, iPhones can be accessed using machines like Cellebrite. AFU means the phone has been unlocked by the user at least once since it was powered on, allowing certain data to be more accessible.
However, when an iPhone reboots to BFU, it reverts to a more locked state, which drastically limits the effectiveness of cracking tools. Consequently, this rebooting feature can impede law enforcement’s ability to retrieve data or evidence from the device once it returns to a more restricted, locked-down state.
An updated report by 404 Media has clarified that this security feature is specifically active on devices running iOS 18.1 or later, rather than iOS 18. The activity timer initiates a reboot when an iPhone remains locked for four days, automatically shifting it from AFU to BFU to bolster security.
This added measure aims to enhance the security of personal data on iPhones and is seen as a deterrent against potential data breaches, particularly if a device is stolen. Experts, like cryptographer Matthew Green, highlight that the real benefit of this feature is to prevent unauthorized individuals from holding a stolen iPhone and eventually breaking into it for malicious purposes.
While some in law enforcement view this feature as a setback, it is also seen as a protective measure for iPhone users. By limiting the ability of thieves to keep and crack a stolen device over an extended period, Apple’s reboot feature enhances personal security.
Although it poses challenges for gathering digital evidence, the security feature underscores Apple’s commitment to safeguarding user privacy and protecting iPhone owners from criminal access. This approach reflects a balance between user security and law enforcement needs, sparking ongoing discussions around data privacy and access.
