In case you missed it, Apple released iOS 18.1 late last month. The update introduced a new security feature that will make it tougher for law enforcement agencies to use forensic tools to access pertinent data. Originally discovered by 404media, the latest iOS update now reboots an iPhone if it hasn’t been unlocked in four days.
While this might seem innocuous, Apple’s new reboot process prompts the iPhone to fall back into a Before First Unlock (BFU) state. This state is akin to when an iPhone has been powered on but not yet unlocked via a passcode. In turn, functionality is limited, and much of the phone’s data remains encrypted. Additionally, features like the Control Center, camera, Face ID, and more are inaccessible. The end result is that forensic investigators have a much tougher time accessing device data.
404media writes that the added security layer was confirmed by security expert Christopher Vance:
In a law enforcement and forensic expert only group chat, Christopher Vance, a forensic specialist at Magnet Forensics, said “We have identified code within iOS 18 and higher that is an inactivity timer. This timer will cause devices in an AFU state to reboot to a BFU state after a set period of time which we have also identified.”
AFU vs BFU
To provide additional context, and to better understand the ramifications of the latest iOS update, it’s important to provide a quick overview of what the Before First Unlock state is relative to the After First Unlock (AFU) state.
Tech. Entertainment. Science. Your inbox.
Sign up for the most interesting tech & entertainment news out there.
By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.
When a user opens up their iPhone, and the device is put to sleep, it remains in an AFU state. This state allows various types of data and select system functions to remain active and accessible. When a phone enters a BFU state, the iPhone essentially locks down to a more significant degree.
The DigForCE Lab at Dakota State University adds some pertinent context:
A phone that is in the AFU state is that of any phone that has been unlocked at least once since the device has been reset or completely powered off. This is the case for the majority of powered-on phones currently being utilized. A phone that is in the AFU state stays in the state until the device loses power or is rebooted. While a device is in the AFU state, more information can be extracted from the phone, as the filesystem is no longer fully encrypted.
When a device is in the AFU lock state, an AFU extraction may be created. Compared to a BFU extraction, an AFU extraction contains a vast majority of all user-generated data, which can be seen as about 95% of a Full Filesystem extraction (these extractions will be discussed in the next section). This means an AFU extraction will contain user-generated chats, images, videos, web-browsing data, and much more. Compared to a Full Filesystem extraction, an AFU extraction does not contain Apple Mail, Apple Health, or significant location information. The amount of information you can receive from a device in the AFU lock state can be substantial, so it is important to keep an AFU device powered on. If the device is powered off, the lock state will switch to BFU which could lead to the loss of a lot of potential information.
All told, the new security update sounds like a nice safety feature for iPhone users. Law enforcement authorities, meanwhile, likely won’t be happy as the update means that authorities will have a tighter window to access data before the phone goes into a BFU state.