GrapheneOS has a "reboot after x hours inactivity" feature specifically to prevent the scenario mentioned in the story. Otherwise leaving a phone powered on is a massive risk, especially if cops can keep it charged for months to wait for an exploit.
I very much doubt it. Far more likely to be a memory leak in the baseband which is exposed when the devices are unable to talk to the cellular network for a period of time.
This reads more like a chain email forward than an actual analysis of the iPhone tech stack.
Fwd: Fwd: READ THIS!!! You won't believe what the iPhone does when off network and around other iPhones!!!
> It is believed that the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.
The hypothesis doesn't make any sense because the phone doesn't need to communicate with other phones to decide to restart/lock based on lack of network signal.
> Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that the law enforcement officials' hypothesis about iOS 18 devices is "deeply suspect," but he was impressed with the concept.
Cops are some of the greatest "victims" in our society. Encryption will make their investigations more difficult. They'll be judged first by the basis of the race of their suspect and then by the suspected crime. Even bodycams (which they're now quick to hail as they're "recording too," when people record interactions with their phones) were going to impeded their ability to do their jobs.
There are fewer groups with so much power who see themselves as downtrodden. I could name others, but that'd be going off-topic.
I don’t think it’s other iPhones that are sending a signal. Rather, it’s probably a security option that’s easy for most people to overlook in the Settings app. I have little knowledge about iPhone hacking, but I think in the same place where you can say “delete my data after 10 failed passcode attempts”, you can also force ask for a passcode to start using accessories again if it’s been a long time since it’s been unlocked. But I don’t think I have ever seen anything around rebooting. That sounds like a very nice feature though since rebooting apparently is good for making sure the phone clears spyware access.
Another option is that whatever bug cellebrite was exploiting to extract data from iPhones in AFU mode is now subtly not working, leading to unexpected reboots when attempting extraction.
Why would the iPhones need to communicate in order to reboot? Just detect a lost network connection, add a timer, lack of normal user activity, some other signal, ....
What happens if one is in a place with no connectivity for a long time? There are areas of the world like that. Periodic forced reboots are useless and harmful there. Think about reading ebooks offline or following a map with only GPS on.
Additionally, this wouldn't require a periodic reboot; only one. So, phone in After First Unlock state loses cellular connection -> timeout period expires without being unlocked -> phone reboots. This process only restarts once the user unlocks it _and_ it has re-acquired a cellular connection.
> The digital forensics lab that noticed the issue had several iPhones in AFU state reboot, including iPhones in Airplane mode and one in a faraday box.
You can stop reading there. iOS 18 doesn't add freaking telepathy to phones. Whether it's a bug or a new feature Apple added that reboots phones under certain circumstances, it's not "iPhones communicating to force reboots".
I'm glad HN doesn't allow emoji, but I do wish I could add :facepalm: or :eye-roll: here.
It's the faraday box part in particular. Airplane mode isn't a true no-radios mode on iPhone (this is well-known, or should be on HN at least). But it does leave cellular radios off. Wifi and bluetooth might need to be separately disabled and with wifi, at least, it'll turn back on after a while. So maybe (being very generous), if bluetooth or wifi is enabled or becomes re-enabled, there's a signal between the iPhones that causes this reboot behavior.
But how is a device in a faraday box receiving this signal and rebooting? And why do they need a signal when they could just use their own clocks and determine that it's been X days or weeks since last going online and reboot?
> how is a device in a faraday box receiving this signal and rebooting?
Doesn’t need to. Being in a Faraday box is a reasonable trigger for a single reboot. That said, the most incredulous part of this story is that iPhones can detect when they’re in a Faraday cage.
I'm going to go ahead and assert that they can't tell. A Faraday cage is just a deliberate construction of a situation that happens all the time anyway. Hospitals have lots of shielded rooms in and around the radiology department. The basement of a steel building is basically the same. So is anywhere on a ship. My aged house has lath and plaster walls that can simultaneously survive a nuclear blast and also block Wi-Fi unless the amp's turned up to 11. There's no sensor in an iPhone that could tell that it's in a specially-constructed Faraday cage instead of a plain old dresser drawer in my bedroom.
I'm not sure if that's possible. What's the difference between that and someone sitting their phone on a metal cabinet?
I'm even more confident that Apple hasn't spent the research hours required to do that reliably, then incorporate the electronics and software needed into off-the-shelf phones, all to protect criminals from having their phones hacked under very specific conditions. That seems like a huge money sink.
> What's the difference between that and someone sitting their phone on a metal cabinet?
In a zero-signal environment? With other iPhones in very close proximity?
You can even measure your false positive rate by timing to first successful unlock. If it happens more than once, turn down the sensitivity on the feature (or turn it off completely).
(Were I designing this feature, I’d let phones in this state poll the other phones on how long they’ve been in it.)
But the claim is that other iPhones in the area are triggering the reboot. Setting that claim aside, though, how would the device even tell it's in a faraday box versus just out in the woods?
> the claim is that other iPhones in the area are triggering the reboot
Lack of motion? The information the other phones provide are proximity (it’s unusual for people to pile their phones together), that the radios still work and possibly a timeline, e.g. if the other phone says “I’ve been in a suspicious state for two days,” the first phone can change its priors.
Anything's possible, but I am highly skeptical of the notion. Their little speakers don't have infinite frequency response, and I haven't heard reports of young teens saying their phones make weird chirps. Also, why on Earth would Apple do this? The notion that iPhone A in AFU mode is anxiously listening for iPhone B to come along and send it an audio trigger that it should reboot is hard to believe. It would be way easier to just tell iPhone A to reboot after N hours in AFU mode if they wanted to accomplish such a thing. And why would iPhone B be sending the "OMG reboot yourself!" audio signal to iPhone A in the first place?
They don’t need infinite frequency response, and I don’t think it’s unusual to have a frequency response outside of human hearing. I know for a fact that Cisco uses frequencies outside human hearing to help pair your computer to meeting room screens
Faraday cages used by law enforcement, such as [1] aren't impervious to RF.
They provide enough attenuation to keep phones off the cellular network and prevent GNSS from working, but not enough to prevent communication with nearby devices via Bluetooth or wifi.
A Faraday cage is an attenuator, which multiplicatively decreases signal strength by some constant (at least within a similar frequency band, which Bluetooth and 5G can be considered to be).
Unless the forensic lab has additional special shielding from cell towers, the received strength of both a reasonably close cell tower and a nearby Bluetooth transmitter would be pretty similar, so they'd both be attenuated similarly.
> A Faraday cage is an attenuator, which multiplicatively decreases signal strength by some constant
It's not constant at all. The level of attenuation varies greatly based on frequency. For the Ramsey STE3000 I have here, it varies by 40dB or more at the frequencies at which I've tested it. The enclosure good for around -100dB at 700MHz, but only -60dB or so at 2.4GHz.
> (at least within a similar frequency band, which Bluetooth and 5G can be considered to be).
Even if you exclude mmWave and consider only the sub-6 bands, AT&T for example has LTE and 5G bands from 700MHz to 3700MHz. They're not similar at all. Worlds of difference in terms of propagation characteristics.
> the received strength of both a reasonably close cell tower and a nearby Bluetooth transmitter would be pretty similar
No, they wouldn't.
On my Pixel 8 Pro right now I'm seeing -93dBm from a tower about half a mile down the road (700MHz LTE), and -40dBm from the BLE radio in the HVAC controller on the wall of this room, about 8 or 10 feet away. That's a 53dB difference.
If I put my phone in the box, it attenuates the LTE downlink from down the street to well below the thermal noise floor. It cannot do the same for BLE; my phone can still talk to the HVAC controller from inside.
Ah, then they could definitely communicate with each other.
And while I don't expect stock iPhones to do anything like what's being suggested in the article, I could see custom software activating a "panic mode" based on observations that plausibly suggest a device being in such an environment.
Not an audio command, but even just holding down the volume and side buttons to open the power off menu, without actually powering off your phone, triggers the same behavior.
That locks the phone, but a reboot presumably drops a lot of in-memory caches, to one degree or another. I don’t know whether (or how well) iOS zeroes out memory, but I can certainly imagine the AFU state is easier to target than the BFU state.
Very little, which is why if you enable automatic updates on iPhones they try to apply those updates at night while the device is locked and charging, when most people are sleeping. If you're using the phone it won't activate at night and will let you know that it couldn't install the update.
Only harm I could see if someone grabs their phone to make emergency call and it's rebooting or locked and in their sleepy state, have trouble unlocking it.
However, I do think 12 hour "Phone hasn't been unlocked, reboot it" seems logical security feature to add.
Fwd: Fwd: READ THIS!!! You won't believe what the iPhone does when off network and around other iPhones!!!
> It is believed that the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.
The hypothesis doesn't make any sense because the phone doesn't need to communicate with other phones to decide to restart/lock based on lack of network signal.
> Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that the law enforcement officials' hypothesis about iOS 18 devices is "deeply suspect," but he was impressed with the concept.
Just about sums it up.
The purpose of this is to counter a thief putting your phone into aeroplane mode to prevent you remote locking or erasing the device.
https://support.apple.com/en-us/121161#a181 (last item)
There are fewer groups with so much power who see themselves as downtrodden. I could name others, but that'd be going off-topic.
This is only happening on phones that are currently locked, but which were previously unlocked since the last reboot.
Could easily just be a memory leak that is accumulating until the OS crashes.
You can stop reading there. iOS 18 doesn't add freaking telepathy to phones. Whether it's a bug or a new feature Apple added that reboots phones under certain circumstances, it's not "iPhones communicating to force reboots".
I'm glad HN doesn't allow emoji, but I do wish I could add :facepalm: or :eye-roll: here.
But how is a device in a faraday box receiving this signal and rebooting? And why do they need a signal when they could just use their own clocks and determine that it's been X days or weeks since last going online and reboot?
Doesn’t need to. Being in a Faraday box is a reasonable trigger for a single reboot. That said, the most incredulous part of this story is that iPhones can detect when they’re in a Faraday cage.
I'm even more confident that Apple hasn't spent the research hours required to do that reliably, then incorporate the electronics and software needed into off-the-shelf phones, all to protect criminals from having their phones hacked under very specific conditions. That seems like a huge money sink.
In a zero-signal environment? With other iPhones in very close proximity?
You can even measure your false positive rate by timing to first successful unlock. If it happens more than once, turn down the sensitivity on the feature (or turn it off completely).
(Were I designing this feature, I’d let phones in this state poll the other phones on how long they’ve been in it.)
Lack of motion? The information the other phones provide are proximity (it’s unusual for people to pile their phones together), that the radios still work and possibly a timeline, e.g. if the other phone says “I’ve been in a suspicious state for two days,” the first phone can change its priors.
Edit: I noticed it's "box" and not "cage" but I think the same what-if applies here.
They provide enough attenuation to keep phones off the cellular network and prevent GNSS from working, but not enough to prevent communication with nearby devices via Bluetooth or wifi.
[1] https://ramseytest.com/rf-shielded/forensic-enclosure/
A Faraday cage is an attenuator, which multiplicatively decreases signal strength by some constant (at least within a similar frequency band, which Bluetooth and 5G can be considered to be).
Unless the forensic lab has additional special shielding from cell towers, the received strength of both a reasonably close cell tower and a nearby Bluetooth transmitter would be pretty similar, so they'd both be attenuated similarly.
I can say from experience that it is not.
> A Faraday cage is an attenuator, which multiplicatively decreases signal strength by some constant
It's not constant at all. The level of attenuation varies greatly based on frequency. For the Ramsey STE3000 I have here, it varies by 40dB or more at the frequencies at which I've tested it. The enclosure good for around -100dB at 700MHz, but only -60dB or so at 2.4GHz.
> (at least within a similar frequency band, which Bluetooth and 5G can be considered to be).
Even if you exclude mmWave and consider only the sub-6 bands, AT&T for example has LTE and 5G bands from 700MHz to 3700MHz. They're not similar at all. Worlds of difference in terms of propagation characteristics.
> the received strength of both a reasonably close cell tower and a nearby Bluetooth transmitter would be pretty similar
No, they wouldn't.
On my Pixel 8 Pro right now I'm seeing -93dBm from a tower about half a mile down the road (700MHz LTE), and -40dBm from the BLE radio in the HVAC controller on the wall of this room, about 8 or 10 feet away. That's a 53dB difference.
If I put my phone in the box, it attenuates the LTE downlink from down the street to well below the thermal noise floor. It cannot do the same for BLE; my phone can still talk to the HVAC controller from inside.
And while I don't expect stock iPhones to do anything like what's being suggested in the article, I could see custom software activating a "panic mode" based on observations that plausibly suggest a device being in such an environment.
You’re in for a bad time refusing to unlock at most borders.
Maybe the isolated phone has a feature where it reboots after being unable to find a peer?
However, I do think 12 hour "Phone hasn't been unlocked, reboot it" seems logical security feature to add.
The article is kind of confusing about this.