Seized iPhones from Law Enforcement are Undergoing Reboots, Leaving Questions Unanswered
Law enforcement officials in Detroit are concerned about a series of iPhones in their possession suddenly rebooting without warning. This issue makes it more challenging for authorities to search the devices for potential evidence.
The news initially surfaced through 404 Media, who seemed to have obtained internal documents from Detroit police officers. These papers contain a warning about the problem and advise other law enforcement agencies to be wary.
According to the document, "iPhone devices are rebooting in a short span, possibly within 24 hours, when removed from a cellular network. If the iPhone was in the After First Unlock (AFU) state, the device returns to a Before First Unlock (BFU) state after the reboot. This could hinder the acquisition of digital evidence from devices that are not supported in any state outside of AFU."
The iPhone's lock state significantly influences third-party tools like Cellebrite's capability to access the device. When an iPhone turns back on following a power loss, it's in BFU, which is more difficult to penetrate. Although cops can still force their way into the phone, it's more challenging, and the data they can retrieve is limited.
An article from Dakota State University Digital Forensics Lab clarifies that data from a BFU extraction primarily comprises system data. However, there might be a little bit of user-generated data visible, which could provide new leads for particular instances.
In Detroit, the reason for the iPhone reboots remains unclear, but the police suspect it might be a security feature integrated into iOS 18.0. What makes the situation stranger is that the reboot occurred in phones that were in airplane mode and even one that was inside a Faraday box, which typically blocks outside signals. The police theorize that the phones might have communicated with each other in some way.
The paper published by 404 Media suggests, "It is believed that the iPhone devices with iOS 18.0, brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had elapsed since device activity or being off network."
In one scenario, the police hypothesized that the personal device of an investigator triggered the reboot in other phones. But they're perplexed. "The specific conditions that must exist for these reboots to occur is unknown and further testing and research would need to be conducted to add more specifics to the new hurdle we are now faced with. What is known is that this new ‘feature’ of some sort has increased the difficulty with forensically preserving digital evidence," the documents mentioned.
The police then advised other investigators to take preventive measures. "If a lab's AFU devices have not been exposed to iOS 18 devices, take action to isolate those devices before they do so," the documents said. "Labs should take a current inventory of their AFU devices and identify if any of them have rebooted and have lost their AFU states."
Apple did not respond to Gizmodo's query for comment.
The concern over iPhone reboots in Detroit extends beyond the tech industry, as the issue could impact the collection of digital evidence in various future legal cases. The recent discovery suggests that certain iPhone models running iOS 18.0 may be communicating with each other, causing unexpected reboots, even when devices are in airplane mode or Faraday boxes.
