Law enforcement officials are facing challenges after multiple iPhones being held for forensic examination unexpectedly rebooted, potentially wiping out critical data. According to a report obtained by 404 Media, these incidents occurred on devices running iOS 18.0 that had been offline for extended periods, even when placed in secure conditions like Airplane Mode or a Faraday cage.
The rebooting issue has raised suspicions among investigators. They hypothesize that a change in the iOS 18 software could be responsible for causing idle iPhones to restart themselves, especially if disconnected from cellular networks. Once these iPhones reboot, they enter a more secure state known as BFU (Before First Unlock), which significantly complicates forensic analysis.
Understanding the AFU vs. BFU States
The terms AFU (After First Unlock) and BFU (Before First Unlock) refer to the states of an iPhone with regard to encryption. When an iPhone is first powered on and remains locked, it is in a BFU state where most of its data is encrypted and inaccessible. In contrast, an AFU state device has been unlocked at least once, making it more susceptible to forensic tools.
Forensic teams often rely on the AFU state to extract data. However, if the iPhone reboots into a BFU state, it becomes nearly impossible to access its contents without the device’s passcode or biometric data. This presents significant hurdles for law enforcement, especially when investigating criminal cases.
Law Enforcement's Theory and Potential Causes
A leaked document from law enforcement in Detroit suggests that the affected iPhones might be exchanging signals with each other, prompting reboots. The theory proposes that devices running iOS 18 may be programmed to restart after a certain period of inactivity or being off-network, thereby enhancing security.
However, cybersecurity experts like Matthew Green, a cryptographer from Johns Hopkins University, are skeptical of this theory. Green describes the notion of iPhones intentionally rebooting themselves as "deeply suspect," yet acknowledges that if true, it would be an impressive security measure by Apple.
A More Plausible Explanation: iOS Bug or Hardware Issue
There may be a simpler explanation. Around the same time, many users reported iPhone 16 Pro models experiencing random reboots, likely due to a bug in iOS 18.0. Apple later addressed this issue in the iOS 18.1 update, released on October 28, 2024.
The timeline of the reported forensic reboots coincides with the known bug, suggesting that these issues might not be intentional security features but rather a glitch affecting certain iPhone models. Additionally, hardware malfunctions, such as faulty batteries or baseband chips, could also cause spontaneous reboots, particularly in older or heavily used devices.
Implications for Law Enforcement and Users
Whether caused by a bug or a deliberate security feature, this incident highlights the ongoing tension between device privacy and forensic analysis. Apple’s focus on user privacy and data security continues to create challenges for law enforcement agencies trying to access information from seized devices.
While iOS 18's reboot behavior remains under investigation, users can rest assured that Apple is committed to securing personal data. However, these developments underscore the importance of keeping iOS devices updated to avoid unexpected issues.