Apple Snuck In Code That Automatically Reboots Idle IPhones And Cops Are Not Happy About It
from the phone-cracking-now-has-a-countdown-timer dept
Detroit law enforcement officials got a bit of shock last week when some seized iPhones rebooted themselves, despite being in airplane mode and, in one case, stored inside a Faraday bag. Panic — albeit highly localized — ensued. It was covered by Joseph Cox for 404 Media, who detailed not only the initial panic, but the subsequent responses to this unexpected development.
Law enforcement officers are warning other officials and forensic experts that iPhones which have been stored securely for forensic examination are somehow rebooting themselves, returning the devices to a state that makes them much harder to unlock, according to a law enforcement document obtained by 404 Media.
The exact reason for the reboots is unclear, but the document authors, who appear to be law enforcement officials in Detroit, Michigan, hypothesize that Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time. After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.
The problem (for the cops, not iPhone owners) is that the reboot takes the phone out of After First Unlock (AFU) state — a state where current phone-cracking tech can still be effective — and places it back into Before First Unlock (BFU) state, which pretty much renders phone-cracking tech entirely useless.
The speculation as to the source of these unexpected reboots was both logical and illogical. The logical assumption was that Apple had, at some point, added some new code to the latest iOS version without informing the public this new feature had been added.
The other guesses were just kind of terrible and, frankly, a bit worrying, considering their source: law enforcement professionals tasked with finding technical solutions to technical problems.
The law enforcement officials’ hypothesis is that “the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.” They believe this could apply to iOS 18.0 devices that are not just entered as evidence, but also personal devices belonging to forensic examiners.
These are phones, not Furbies. There needs to be some avenue for phone-to-phone communication, which can’t be achieved if the phones are not connected to any networks and/or stored in Faraday cages/bags. The advisory tells investigators to “take action to isolate” iOS 18 devices to keep them from infecting (I guess?) other seized phones currently awaiting cracking.
Fortunately, a day later, most of this advisory was rendered obsolete after actual experts took a look at iOS 18’s code. Some of those experts work for Magnet Forensics, which now owns Grayshift, the developer of the GrayKey phone cracker. This was also covered by Joseph Cox and 404 Media.
In a law enforcement and forensic expert only group chat, Christopher Vance, a forensic specialist at Magnet Forensics, said “We have identified code within iOS 18 and higher that is an inactivity timer. This timer will cause devices in an AFU state to reboot to a BFU state after a set period of time which we have also identified.”
[…]
“The reboot timer is not tied to any network or charging functions and only tied to inactivity of the device since last lock [sic],” he wrote.
It’s an undocumented feature in the latest version of iOS, apparently. And one that isn’t actually a bug dressed in “feature” clothing. This was intentional, as was Apple’s decision to keep anyone from knowing about until it was discovered, presumably. Apple has issued no statement confirming or denying the stealthy insertion of this feature.
Law enforcement officials and the tech contractors they work with aren’t saying much either. Everything published by 404 Media was based on screenshots taken from a law enforcement-only group chat or secured from a source in the phone forensics field. Magnet Forensic has only offered a “no comment,” along with the acknowledgement the company is aware this problem now exists.
This means iPhones running the latest iOS version will need to be treated like time bombs by investigators. The clock will start running the moment they remove the phones from the networks they use.
This isn’t great news for cops, but it’s definitely great news for iPhone owners. And not just the small percentage who are accused criminals. Everyone benefits from this. And the feature will deter targeting of iPhones by criminals, who are even less likely to be able to beat the clock with their phone-cracking tech. Anything that makes electronic devices less attractive to criminals is generally going to cause additional problems for law enforcement because both entities — to one degree or another — know the true value of a seized/stolen phone isn’t so much the phone itself as it is the wealth of information those phones contain.
Filed Under: device cracking, device encryption, device security, encryption, law enforcement, security
Companies: apple, grayshift, magnet forensics
Comments on “Apple Snuck In Code That Automatically Reboots Idle IPhones And Cops Are Not Happy About It”
What did they think the faraday bags were for? Why are cops so fucking stupid?
Re: I'll happily answer your question.
Why are the cops so stupid?
Well about that.https://abcnews.go.com/US/court-oks-barring-high-iqs-cops/story?id=95836
Score too high on an IQ test and they basically won’t hire you. That’s why.
https://melmagazine.com/en-us/story/robert-jordan-too-smart-to-be-a-cop
Re: Re:
What the actual f*ck?
Note one of the consequences of this
“[…] Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time.”
This covers the case where the iPhone has been disconnected from a cellular network, and that’s fine. What about the case where the cellular network has been disconnected from the iPhone?
To clarify: I’m talking about long-term cellular network failures, for example what’s happened and is happening in western North Carolina right now. This is common in natural disasters, because the cellular network is far more brittle than cable/fiber networks (which are in turn far more brittle than copper networks).
Now it may be that having a phone return to this locked state doesn’t really matter (a) because there’s no cell network to use anyway and (b) because the owner can unlock it if the cell network comes back up or they find a working wi-fi network etc. But I think it’s something to keep in mind.
Re:
Later in the article it clarifies that network connectivity has nothing to do with it. The feature is basically an undocumented auto-lock timer where the “locking” is done by rebooting the phone.
Re:
Before first unlock is a state that disables touch and face ID, and prevents access to the data on the phone until it is unlocked. This thwarts criminal attempts to exfiltrate data.
Unlocking a phone by pin or password is trivial for the end user. We do it every day. This should not prevent users from accessing the data on their phone even if it was engaged, regardless of network connectivity.
Re: Huh?
Since when can you not open an iphone in airplane mode or offline? IIRC I’ve done it plenty of times.
This sounds something like the “booby trap” mode” that I have mentioned that some Samsung phones have.
Samsung goes further that Apple. If that mode is set, too many failed password attempts and the phone wipes itself and resets, and cannot be fully reset without your Google password.
There is no law in either South Korea (where Samssung makes their phones) or anywhere in the USA, Canada, or Mexico that makes it a crime to set this mode.
I have done it on road trips so that when I go to any “asset forfeiture” state, the cops will not able to access my phone if is ever seized. It will just make an expensive paperweight.
What Samsung does and what Apple does does not break any laws any laws in Canada, Mexico, or the United States or in China (where apple phones are made) or in South Korea (where Sansung phones are made)
The only thing that will work is incoming calls as long as the service on the phone is active
Re:
iPhones have supported erasing the phone after N (usually 10) failed attempts for years. It will also force a delay before the next attempt to enter the passcode after a few failures.
Re:
There is nothing about what you’ve said that is meaningfully different than the same feature that apple has had for at least as long. I readily admit its been a decade since I tried android, so ill err on the side of over explaining things here, but I am lead to believe Android is similar to iOS.
When an iPhone restarts, it requires a pin/passcode/password before it can connect to external devices or use biometrics. This state is known as Before First Unlock. This state is more secure than After First Unlock. BFU also more heavily restricts the use of lock screen widgets, like notifications, the camera, and the quick settings menu, called the control center in iOS.
To better secure idle phones (that by their idle nature imply the phone has been taken or are not in current use), Apple now soft reboots the system to return to a Before First Unlock state. This prevents hacks that use the AFU state to exfiltrate data without a passcode, or prevent various means of gaining biometric access without the proper consent of the phones owner.
This is on top of encrypting data and automatically erasing data if improper passcodes are provided as you describe.
That’s a recommendation from CIA to reboot phones regularly… to improve security (exiting background services, closing stale file accesses, restoring default states, etc.). This can also improve battery life.
For years now, Samsung phones can programmed to reboot every night or every week. Many other manufacturers offer similar options.
Re: To reuse a Techdirt cliche...
CIA: You should keep your phone secure through the settings provided.
Suspect:
Police: Not like that!
Re:
Like most iOS features, every Android phone has had this ability for at least 2 years. It’s not on (on any phone afaik) by default, though.
"Snuck in"?
“Snuck in code” doesn’t mean much when Apple is keeping almost all of their code secret. There are probably a million changes that were “snuck in”, over the years, without a specific release note.
This comment has been flagged by the community. Click here to show it.
Libs have so alienated themselves from normal masculinity (pathologizing it has been a concerted ideological project for more than a decade now), I don’t think they’re ever going to be able to find their way back.
Re:
“Normal masculinity” = fucking your country over by giving it up to a douchey paint-chip muncher who has to pay pornstars for sex and has failed in business far more than he’s succeeded, who uses comically orange skin coloring, and risers to compensate for his napoleon complex and insecurity. Really picked a great example there, buddy.
This comment has been flagged by the community. Click here to show it.
Re: Re:
The TDS is strong with this one
Re: Re: Re:
The Putin checks still arriving? Something must be wrong, sit tight it will be corrected soon.
Re: Re: Re:
What’s more deranged than wasting your time while not getting paid to defend a man who wouldn’t spit on you if you were on fire?
Re:
L-I-B-S is certainly not the way I’d spell ‘conservative Christians.
'How am I supposed to look into their bedroom windows now?!'
Watching law enforcement freak out over stuff like this is the equivalent of watching a serial peeping tom getting indignant over people in their neighborhood installing blinds on their windows, and for the same reason: If they hadn’t shown absolutely no restraint then maybe the recipients of their ‘attention’ might not have felt the need to ramp up the actions they were taking to protect their privacy.
Re:
…and they’re the same people, per yesterday’s Techdirt article: Seventh Circuit Again Says Long-Term Pole Camera Surveillance Isn’t Unconstitutional.
Re:
I’m pretty sure Apple’s reason for including this had nothing to do with law enforcement. There’s been a recent upswing in iPhone thefts with a ring that’s able to wipe the phones from AFU mode via some ingenious phishing. The news of this surfaced slightly before iOS 18 was released in beta. So most likely, Apple added this feature as a way of protecting people’s phones from this theft+phish approach to stealing phones.
Re: Re:
Oh I agree with you, Apple’s motives here are almost certainly entirely centered around protecting their customers/users from criminals who steal their devices by making it that much harder to break into them, I just find it amusing how often law enforcement acts as though anything that protects privacy and security is a personal affront to them and treats it as something solely designed to benefit criminals, when in point of fact it’s law enforcement’s war on encryption and privacy that stands to benefit criminals the most.
So this means Apple could be charged with obstruction of justice.
Re: That's not how that works. That's not how any of that works
Oh sure, just like how homeowners can and should be charged with obstruction for having blinds on their windows when cops really want to see in but either can’t or can’t be bothered to get a gorram warrant.
Re:
No it is not. There is no law in any of the 50 states that makes it illegal for Apple to do that or Samsung to have “booby trap” mode in their more expensive phones.
In the case of Samsung, they are in South Korea and are not subject to any American laws even if booby trap did not break some kind of laws here.
This comment has been flagged by the community. Click here to show it.
Here is Tim Cushing openly praising obstruction of justice, in case you’re wondering why his only job in a decade has been writing for Techdirt.
Re:
What obstruction?
I fail to see any.
Perhaps you could provide a detailed account of the various legal tenets used to arrive at the conclusion that obstruction was committed by Apple for the inclusion of a benign security option recommended by the experts in the field.
btw, yer a bit weird.
Re:
Do you have a shirt that says “I’m with stupid,” with the arrow pointing up?
Re:
Criminals hate Apple’s anti-criminal measures.
News at 11.
Re:
Here, anonymous troll is copsucking authoritarianism and openly praising violation of 4th Amendment rights. And he’s not getting paid to do this like Tim is getting paid for writing the article he’s shitting on.
Re: Re:
‘Anonymous troll’ sounds a lot like davec.
Re:
If “justice” means “cops (and criminals) have the ability to access the data on your phone whenever they want and for any reason”, then yeah let’s obstruct the hell out of it.
This is the new “Christine” model iPhone.
This comment has been flagged by the community. Click here to show it.
Here is a damn good reason why phones to be cop proof
https://www.washingtonpost.com/nation/2024/11/15/law-enforcement-nude-photos-traffic-stops/
They women in either case should have REFUSED to give the cop her password. There is no law in Missouri a cop can use to compel you to unlock your phone.
Even if the phones were seized, assuming they were Android phones, either woman could have gone to her Google account and send a command to wipe the phone next time it connects to the network.
One the phone came out of the Faraday bag and was back on the network, the command to wipe the phone would execute and the phone would wipe itself, meaning they get nothing. And there is not one of the 50 states
This is, unless, the cop shop is using a jammer. I think some do because when one police substation used to be in one strip mall here my cellular Internet would stop on that part of the street and then start up again once I got down the road.
The Sheriffs office here was NOT breaking ANY laws if they were using any jammers in that cop shop. If I went to Dominos Pizza, which was right next door, my cell phone service died, but started up again when I got down the road.
If it is part of the execution of their duties, the FCC has no jurisdiction over that. Then cannot ban your local police from using cell phone jammers to stop seized phones from being wiped.
Just like communications used by the United States Armed are not subject to FCC jurisdiction. If military communications should be jammed, that Uniform Code Of Military Justice has the jurisdiction on that, and not the FCC.
Jamming military communications is a violation of the UCMJ and not any FCC rules becuase the FCC does not have jurisdiction over the US military.
Re:
Yes, they were, criminal mastermind. Try some research before you comment again, why don’t you?
Re: Re:
Not if they are doing that in the performance of their duties.
Also, there is one car dealership around here that jams cellular data.
When I had to drive a friend of mine over there to buy a new car I found that cell phone service is screwed up there, and the dealer that was servicing my friend told me that it is was company policy to jam cell phones in the building to keep employees from using anything other than the company supplied Internet.
The boss wants his workers focused on their work, so he does have the right to jam cellphones in the building. That is company policy and does not break any laws in California.
Also, some states, in proposed school cell phone bans, will allow schools to install and use cell phone jammers to enforce that rule.
If state laws allow that, then it is legal for the schools to do it.
Re: Re: Re: It seems you may be incorrect on a few things
“If state laws allow that, then it is legal for the schools to do it.”
Not in the US
https://www.fcc.gov/general/jammer-enforcement
Re: Re: Re:
Funny, I read the link posted by AC and there is no exemption from the anti-jamming law for state or local LEAs regardless of the circumstances. As AC suggested, you should read more before giving your half-assed opinion of what the law does and does not allow.
Repeating the mistake?
Hasn’t the article just been at pains to explain that the timed reboot has nothing to do with data commmunications?
Would it not be more correct to say “The clock will start running the moment they seize a phone”?
Re:
If I read it correctly, the article said the timer starts with loss of network connectivity. Whether that is both/either wifi/cell, idk.
Re: Re: Read it again
not tied to any network activity
As I interpret this and other articles on the topic, the only real hope that someone who doesn’t know the passcode has (whether it’s an investigator or a criminal) is to obtain a phone in an unlocked state and keep it that way until exfiltration is complete.
So, grabbing a phone while someone is using it, or being in a position to compel biometrics if the phone is in AFU state so it can be unlocked would seem to be about it. If it’s locked but in AFU then you have to hope your “cracking toolkit” will work before the phone reboots into BFU state. No more hanging onto a phone you can’t currently crack until an exploit is developed.
Re: Re: Re:
That might not work well as a nav assist device, it could reboot in the middle of a complex roundabout spaghetti bowl civil engineering nightmare. I guess inactivity would include whether there are any active apps? idk.
Tortice and the hare
Who wins in the Security business?
Anyone remember what the FBI DID and failed.
The other guesses were just kind of terrible and, frankly, a bit worrying, considering their source: law enforcement professionals tasked with finding technical solutions to technical problems.
Indeed, they are like so many theories-of-a-crime that this is merely illustrative.
Occam's Razor shaved these LEO 'experts'
Their voiced thoughts were that phones were talking to each other?
Phone 1 tells Phone 2 to reboot when Phone 1 has been locked for too long?
None of these ‘experts’ realized that Phone 2 isn’t necessary in their own scenario? Much less that there is a simpler and easier answer?
After reading the second 404 Media story, I felt like Sherlock Holmes or Jonathan Creek. An overly complicated solution fails in the face of liklihood and Occam’s Razor.
Oh noes… the FBI might end up with more phones they can’t unlock!!!
Someday they might even figure out how many phones that is.
Of course this time end a bunch of the we grabbed their phone because we could & we’ll get around to looking around in it when we feel like it. Imagine a world where they need an actual warrant to root around in someones phone fishing for things they think they might find.
Actual investigations instead of just stealing peoples phones & holding them for however long they want.
Security comes first. Cops can go F themselves in the ass.
Sorry, we shouldn’t celebrate a massive company “sneaking in” such a significative feature secretely.