The FBI has been unable to access a Washington Post reporter’s seized iPhone because it was in Lockdown Mode, a sometimes overlooked feature that makes iPhones broadly more secure, according to recently filed court records.
[...]
“Because the iPhone was in Lockdown mode, CART could not extract that device,” the court record reads, referring to the FBI’s Computer Analysis Response Team, a unit focused on performing forensic analyses of seized devices. The document is written by the government, and is opposing the return of Natanson’s devices.
The FBI raided Natanson’s home as part of its investigation into government contractor Aurelio Perez-Lugones, who is charged with, among other things, retention of national defense information. The government believes Perez-Lugones was a source of Natanson’s, and provided her with various pieces of classified information. While executing a search warrant for his mobile phone, investigators reviewed Signal messages between Pere-Lugones and the reporter, the Department of Justice previously said.
[...]
Apple primarily markets Lockdown Mode as a feature to mitigate remote access spyware, such as that sold by companies like NSO Group to government agencies. “To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all,” Apple’s website reads. Essentially, Lockdown Mode makes some changes to how iOS works to make it harder for third parties to hack into an iPhone. It blocks most message attachment types; loads webpages differently; and stops FaceTime calls unless you’ve previously called that person in the last 30 days.
A small section of the Lockdown Mode page also mentions mitigations around connecting an iPhone to an external accessory. “Device connections: To connect your iPhone or iPad to an accessory or another computer, the device needs to be unlocked,” the Lockdown Mode page says. “To connect your Mac laptop with Apple silicon to an accessory, your Mac needs to be unlocked and you need to provide explicit approval.” Mobile forensics tools such as Graykey and Cellebrite, which law enforcement use to break into phones, work by physically connecting to a phone to then unlock them.
[...]
The FBI was still able to access another of Natanson’s devices, namely a second silver Macbook Pro. “Once opened, the laptop asked for a Touch Id or a Password,” the court record says. Natanson said she does not use biometrics for her devices, but after investigators told her to try, “when she applied her index finger to the fingerprint reader, the laptop unlocked.” The court record says the FBI has not yet obtained a full physical image of the device, which provides an essentially complete picture of what was stored on it. But the agents did take photos and audio recordings of conversations stored in the laptop’s Signal application, the court record says.