Apple's update frustrates cops, and what you can learn from it
Apple's latest software update showcases how important digital hygiene can be.
Last week, 404 Media reported that Apple appears to have pushed a software update that causes iPhones to reboot themselves if they've gone a long time without being connected to a cellular network. The update, which was unearthed through FOIA requests, is particularly frustrating to police who have seized phones as evidence for investigations.
To understand how this works, let's take a look at the different device states of your phone. Both Android and iPhones have two key states: Before First Unlock (BFU) and After First Unlock (AFU), which refer to the time between a phone powering up (or rebooting) and the user entering their passcode or PIN. Most modern smartphones have Full Device Encryption (FDE), which means that the data on the device is encrypted until a user enters their credentials. In the BFU state, certain functionality is disabled, like the feature where you can use your camera without unlocking the phone.
While each department's capabilities vary, you can safely assume today that police have the ability to take a data dump from a smartphone, regardless of which state it is in and regardless of whether they have the password or not (or can crack it, more in a moment). The key difference is how much data can be extracted. A phone in the AFU state can have about 95% of the user-generated data extracted compared to a fully unlocked state, known as a Full Filesystem Extraction.[1] A phone in the BFU state proffers far, far less data. For police, any phone they seized that has not yet been imaged[2] that reboots itself would therefore significantly reduce the value of that device to their investigation.
For police to make effective use of phones in the BFU state, they typically need the passcode/PIN. If they're unable to obtain this information directly, they might still be able to brute force it using a device like the Graykey™ device from Magnet Forensics®[3] or tools from the Cellebrite Inseyets[4] digital forensics suite.
Beyond this being an interesting and bold move on Apple's behalf,[5] there are two takeaways that you can learn from this to keep yourself safe.
The first lesson is to always keep your phone's operating system up-to-date. This latest feature, dubbed an "inactivity reboot",[6] appears to have shipped with iOS 18.1. The feature is not only useful for thwarting police investigations, it also reduces the value of a lost or stolen phone that ends up in the hands of a reseller or thief. Keeping your phone's operating system updated is one of the most effective actions you can take to improve your digital safety. Make it a habit to check your phone's operating system regularly and be sure to enable automatic updates.
The second is to ensure you use a strong passphrase for your phone. You should assume that 4 and 6-digit pins can be trivially broken by the Cellebrite or Graykey tools. Using an alphanumeric passcode makes brute-forcing a phone considerably more difficult and it's much harder to shoulder surf[7] an alphanumeric passcode than it is a numeric PIN. In at least one case, the Ecuadorian prosecution against activist Ola Bini[8], Peruvian media reports (es-PE) that an elevator security camera was used to capture his 8-digit PIN.[9]
Having a more complex password is an inconvenience, but safety and convenience are often polar ends of the same axis. Each person needs to judge for themsevles where they fall on that spectrum, but it's worth mentioning that law enforcement access to your phone can endanger friends and family members, as well. Even if you have committed no crimes, you should assume that in nefarious hands, the data on your phone can be skewed to fit any narrative a malicious actor wants to create.
The actual capabilities of law enforcement aren't fully known. However, stories like this, a result of the excellent reporting by 404 Media, help shine a light on what does and does not work to keep us safe. It's essential to have the best facts we can in order to make informed decisions to help us balance the tradeoffs between security and convenience. As this story shows, you can significantly improve your digital safety simply by keeping your phone's software up to date.
For more on the data dumps, check out this excellent blog post by the folks at DigForCE Lab at Dakota State University. ↩︎
Imaging refers to making a direct copy of the available data on a device, which would also mean preserving metadata. ↩︎
Graykey™ claims to be able to access a device's Keychain or Keystore, which would also give investigators access to credentials stored on the phone for countless other services or applications. ↩︎
Despite big tech's absymal track record on privacy, Apple stands apart from its peers in actually appearing to value user privacy. I don't endorse products as a general rule, but I will say that I personally choose iPhones for their better security posture. ↩︎
As discovered by security researcher, Dr.-Ing. Jiska Classen. ↩︎
"Shoulder surfing" means capturing secrets or login credentials by looking over someone's shoulder as they enter or read them. ↩︎
For full disclosure, Bini is a former employee of my current employer. Our tenures did not overlap; he left approximately a year before I joined. ↩︎
For non-Spanish speakers, the Electronic Frontier Foundation (EFF) covered Ola's case, as well. ↩︎
