Cops Claim iPhones Running iOS 18 Are Instructing Other iPhones to Reboot, Making Unlocking Harder [Updated]
Toggle Dark Mode
Police in Detroit, Michigan, say they believe Apple has made a change in iOS 18 that’s hampering their investigative efforts by making it more challenging to unlock older phones once they’ve been in proximity to a newer model running iOS 18.
An investigative report by 404 Media reveals that Michigan police have had iPhones stored in vaults awaiting forensic examination spontaneously rebooting, making it more challenging to get into them. The police believe the reboots result from a security feature that Apple added to iOS 18. 404 Media shared a document that speculates that iPhones running iOS 18 are instructing other iPhones to restart once they have been disconnected from a cellular network.
The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network. If the iPhone was in an After First Unlock (AFU) state, the device returns to a Before First Unlock (BFU) state after the reboot. This can be very detrimental to the acquisition of digital evidence from devices that are not supported in any state outside of AFU.
It is believed that the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.
After First Unlock, or AFU, is a device state in which the device has been unlocked with a passcode at least once since it was last powered on. Law enforcement has an easier time getting into a device that is in AFU mode using unlocking tools made by companies like Cellebrite since at least some information remains decrypted in memory once it’s been unlocked at least once. However, a restart leaves everything encrypted until the passcode is entered, which makes the brute-force unlocking process much more difficult.
The Michigan police digital forensics lab noticed that several iPhones in AFU state rebooted, including some that were in Airplane mode and even one stored in a Faraday box. That last one sheds some doubt on the theory that these reboots are being initiated by other iOS 18 iPhones since they would not be able to communicate with an iPhone stored in a properly built Faraday box.
Nevertheless, the police document speculates that this may be a new iOS 18 security feature, as at least one device with iOS 18 installed rebooted after it was isolated and inactive. However, several other devices stored in the same area did not reboot, strongly indicating that Apple has not instructed iPhones running iOS 18 to tell other iPhones nearby to reboot.
Still, law enforcement officials recommend isolating iPhones running iOS 18 away from other iPhones that are in an AFU state, at least until further testing can take place.
The specific conditions that must exist for these reboots to occur is unknown and further testing and research would nee to be conducted to add more specifics to the new hurdle we are now faced with. What is known is that this new “feature” of some sort has increased the difficulty with forensically preserving digital evidence.
Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that he finds it “utterly bizarre and amazing” that law enforcement officials believe iOS 18 devices are rebooting nearby iPhones, calling it “deeply suspect.” However, he does admit that he was impressed with the concept.
“The idea that phones should reboot periodically after an extended period with no network is absolutely brilliant, and I’m amazed if, indeed, Apple did it on purpose,” he said.
So, what do you think Apple? Maybe a feature for a future iOS 18 update? Maybe it’s a future Apple Intelligence feature you could work on?
Update: A security researcher investigated further and posted a note on Mastodon explaining that this behavior is part of a new “inactivity reboot” feature in iOS 18.1 that automatically reboots phones that haven’t been unlocked in a while and has nothing to do with other iPhones being nearby.