It is believed that the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.
After First Unlock, or AFU, denotes a device state where the owner has unlocked their device with a passcode or Face ID at least one time since it was powered on. It is easier for law enforcement to get into a device in AFU mode with iPhone unlocking tools from companies like Cellebrite. A restart apparently makes the process more difficult.
After First Unlock, or AFU, denotes a device state where the owner has unlocked their device with a passcode or Face ID at least one time since it was powered on. It is easier for law enforcement to get into a device in AFU mode with iPhone unlocking tools from companies like Cellebrite. A restart apparently makes the process more difficult.
The digital forensics lab that noticed the issue had several iPhones in AFU state reboot, including iPhones in Airplane mode and one in a faraday box. Since a faraday box blocks all electronic signals from reaching a device, there wouldn't be a way for an iPhone running iOS 18 to communicate with an iPhone in a functional faraday box.
The police document speculates that this is "an iOS 18.0 security feature addition" because one device running iOS 18 also rebooted after a period of isolation and inactivity. Several other devices in the same area did not, however, restart, and there is no evidence that Apple has added a feature that causes older iPhones to reboot when in contact with an iPhone running iOS 18.
Law enforcement officials recommend isolating iOS 18 devices from other iPhones that are in an AFU state as further testing takes place.
The specific conditions that must exist for these reboots to occur is unknown and further testing and research would nee to be conducted to add more specifics to the new hurdle we are now faced with. What is known is that this new "feature" of some sort has increased the difficulty with forensically preserving digital evidence.
Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that the law enforcement officials' hypothesis about iOS 18 devices is "deeply suspect," but he was impressed with the concept.
The specific conditions that must exist for these reboots to occur is unknown and further testing and research would nee to be conducted to add more specifics to the new hurdle we are now faced with. What is known is that this new "feature" of some sort has increased the difficulty with forensically preserving digital evidence.
Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that the law enforcement officials' hypothesis about iOS 18 devices is "deeply suspect," but he was impressed with the concept.
"The idea that phones should reboot periodically after an extended period with no network is absolutely brilliant and I'm amazed if indeed Apple did it on purpose," he said.
Update: Apple added an "inactivity reboot" feature in the iOS 18.1 update, but it does not relate to phone/wireless network state.