430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

iPhones in a law enforcement forensics lab mysteriously rebooted losing their After First Unlock (AFU) state

Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them harder to unlock, reported 404 Media. Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them much harder to unlock, per a document obtained by 404 Media. 404 Media obtained the document from a mobile […]

Apple Signal

Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them harder to unlock, reported 404 Media.

Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them much harder to unlock, per a document obtained by 404 Media.

404 Media obtained the document from a mobile forensics source and verified it with another source.

The document notes that some iPhones in a forensics lab, including those in Airplane mode or a Faraday box, rebooted unexpectedly, losing their “After First Unlock” (AFU) state.

iPhones in an “After First Unlock” (AFU) can be accessed by law enforcement by using forensics tools like Cellebrite.

Once rebooted, the devices went into a Before First Unlock (BFU) state, which makes unlocking them much harder, as current tools can’t crack BFU iPhones. Three iPhones running iOS 18.0 were added to the lab on October 3, and officials hypothesize that these devices may have communicated with other iPhones in AFU mode, triggering a reboot if they were inactive or off-network. This could impact both evidence and personal devices running iOS 18.

This is the first time that this mysterious behaviour has been documented. The authors of the document appear to be law enforcement officials in Detroit. The experts believe a new security feature implemented in iOS 18 caused iPhones to reboot when disconnected from cellular networks.

“After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.” reported 404 Media.

“The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network,” reads the document seen by 404 Media. 

Below is the hypothesis reported in the document.

“It is believed that the iPhone devices powered on in the vault in AFU, that if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network. It is unclear what the exact settings are on the other AFU devices that did not reboot is there a difference in chipset, is their Bluetooth off or on, is auto-update off or on? However, the one (1) iOS 18.0 device that was isolated also reboot after a period of isolation and inactivity. This gives evidence to believe this is an iOS 18.0 security feature addition.”

The document recommends forensics labs to isolate AFU devices from iOS 18 devices to prevent unexpected reboots that erase the AFU state. It suggests taking inventory to check if any AFU devices have already rebooted.

Apple has not yet commented on the issue.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iPhones)