iOS 18 Introduces Automatic Reboot to Protect iPhones from Forensic Analysis

Law enforcement agencies in the United States are warning colleagues and forensic experts about a new challenge when working with iPhones stored for forensic examination. According to an internal document obtained by 404 Media, devices that were previously seized and kept in isolated conditions are unexpectedly rebooting, making it more difficult to unlock them and extract data.

The cause of these sudden reboots remains unclear. The document, reportedly authored by Detroit law enforcement officials, suggests that Apple may have introduced a new security feature in iOS 18. The theory is that iPhones may reboot if they remain out of cellular network coverage for an extended period. After rebooting, the devices become more resistant to tools designed to crack passwords and extract information.

The document emphasizes the need to inform colleagues about the situation with iPhones that reboot within a short timeframe (observed within 24 hours) when disconnected from the cellular network. This is especially relevant for devices stored in isolated conditions for forensic analysis. Apple has not yet commented on whether this feature was intentionally added to iOS 18.

Impact on Forensic Investigations

Several iPhones kept in a forensic lab in the After First Unlock (AFU) state suddenly rebooted and lost this status. Devices in AFU are considered more accessible to law enforcement using specialized hacking tools. However, after rebooting, the iPhones switched to the Before First Unlock (BFU) state, making data access impossible with current technologies.

Back in April 2024, mobile forensics company Cellebrite reported that a significant portion of modern iPhones had become inaccessible to their hacking tools. Three iPhones running iOS 18.0 arrived at the lab on October 3. Experts believe that devices with iOS 18 may have exchanged signals with other iPhones in AFU state stored nearby. This connection could have triggered a reboot command for devices that had been inactive or offline for a long time. Theoretically, this could affect not only seized devices but also personal phones of forensic experts if they are nearby.

Recommendations for Forensic Labs

The document concludes with a list of recommendations for labs involved in data extraction. In particular, it advises isolating devices in AFU state from possible contact with iPhones running iOS 18. Labs are also encouraged to inventory existing devices and check for unexpected reboots and loss of AFU status.

Additional Security Measures in iOS 18

With the release of iOS 18, Apple has taken another step in combating the market for used parts from stolen devices. Now, the activation lock feature applies not only to the iPhone itself but also to its main components, such as the battery, cameras, and display. This innovation is aimed at preventing the resale of stolen parts and provides additional protection for users.