29 November 2024, El Paso, Texas, Steven Zimmerman – Across the country, police departments work diligently to fight crime. One of the most significant tools in that fight is seizing a suspect’s cell phone.

Cell phones are ubiquitous and have become almost a natural extension of ourselves. When committing crimes, many bad actors will unwittingly use their cell phones. They’ll text coconspirators, record their crimes, and even plan a crime on their cell phones. However, Apple is making it harder for police departments to uncover criminals from bad actors’ cell phones.

Several officers with the El Paso Police Department have sent us the following email:

Apple iPhones with IOS 18 and above have a security feature that reboots the phone after 72 hours of inactivity to prevent unauthorized access to the user’s data. This feature is called “inactivity reboot” [sic] and it works by locking the user’s encryption keys in the phone’s secure enclave chip. 

For more information, here is an article about the update.

New Apple Security Feature Reboots iPhones After 72 Hours Of Not Being Unlocked

What does this mean for investigators?

If during an investigation an iPhone examination is going to be needed, it needs to be done within 72 hours from the last login, to obtain the most data.

This means the phone needs to be kept on, charged, and removed from the network. Remove the sim card if applicable or placed it in a faraday bag. (Note: Phones in faraday bags use more power due to it searching for signal so arrange to have a portable charger to place in the bag connected to the phone).

Complete all the necessary paperwork for the search authority in a timely manner. 

Bring the phone to DFU with in the 72-hour window so that it could connected to our unlocking tool. 

What happens if a phone is submitted past the 72-hours window?

We have had good exams of iPhones in an AFU state. It’s almost equivalent to a full extraction. We have not seen what kind of data is present after this reset, but if it places the device in a BFU state, the data will be very limited. 

This email is being set out to establish best practices for this new update. 

If you have any questions please feel free to contact us in DFU.

How does an “Inactivity Reboot”? It works on all iPhones with iOS 18 or later. After 3 days without use, the phone will restart on its own.

This reboot has some benefits:

• It clears out any possible bad code
• It resets the phone to a safe state
• It makes the phone harder to hack

Why does this matter to police departments? Are they trying to find a back door to your iPhone?

First and foremost, the reason law enforcement is concerned about this reboot is that it has the potential to destroy evidence.

“The Inactivity Reboot makes it impossible to retrieve user data,” says Moshe ben Simon, a security expert for mobile devices based in Israel. “I’ve tested several phones, allowing the seventy-two hour period to pass, and attempted to recover data from the phones. I was unsuccessful.”

Moshe ben Simon said that on each of the phones he tested, he placed specific videos, photos, and text messages that he hoped to recover after the Inactivity Reboot.

“While I found fragments of data, it was not usable or recoverable in any meaningful fashion,” says Moshe ben Simon. “I could see, for example, the dimensions of a PNG I placed on one phone but could not recover the actual image. Text messages were fully deleted, as were the videos.”

This enhanced layer of security should concern all of us. We live in a world where bad actors, such as terrorists and pedophiles, may begin to use the iPhone, knowing that if caught and the police cannot access data from the phone within three days, all evidence may be lost.

“We are now in an era where a corporation has become the unwitting participant in covering up or hiding evidence from the authorities,” says Moshe ben Simon.

When the phone reboots, it needs a passcode to unlock. Face ID and Touch ID will only work after a while. This adds more security. A passcode is more complex for others to guess or force.

Moshe and the officers who have reached out to me have a point.

“The way the law is right now,” said an officer with the New York City Police Department, “we don’t need a warrant to use a face or fingerprint to unlock a phone. If there is a code, that is a whole other set of problems we need to overcome.”

According to SES Law Partners, in Houston, Texas:

As per current law, the police have the authority to demand unlocking if your phone has facial recognition or fingerprint identification set. However, they cannot do so if you choose a pattern lock or a passcode/password.

The reason is clear: unlocking with a passcode implies knowledge of that code, constituting a testimonial act protected by the Fifth Amendment. In contrast, using facial recognition or fingerprints is considered a nontestimonial act, revealing no explicit knowledge.

While any form of lock on your cellphone might serve as a form of privacy, law enforcement’s capabilities can challenge this. Even facial recognition or fingerprint locks are not foolproof protection. Therefore, choosing a pattern lock or a passcode/password remains the safest choice.

“Apple and the new OS is going to be problematic for us,” says an officer with the El Paso Police Department. “We’ll have to move quicker on cellphone warrants and accessing the devices.”

The following document is from the New York State Intelligence Center and explains the new reboot:

“There needs to be a mechanism worldwide where law enforcement agencies are granted access to a phone running iOS 18 if we can show that potential evidence may be destroyed,” says Muhammad Amin, a forensic cellphone specialist. “Despite being a certified Cellebrite examiner and having their hardware on my desk, I could not get into locked iPhones after the reboot.”

Should Apple build a backdoor into iOS 18 for law enforcement?

That is a question that many have asked. The answer is yes; there should be a way for law enforcement to stop the seventy-two-hour reboot to allow time for a warrant and a police specialist to gain access to the device. This, however, needs to be overseen to protect it from illegal searches and fishing expeditions. Something does need to be done.

“We’re going to see cases,” says Muhammad Amin, “where an offender will have to be released because the evidence of their crime was obliterated after three days. That will encourage the offender to commit the same crime, or worse.”