If you are not a member of DFIR Discord you are really missing out. It is a fantastic resource. I am constantly learning stuff from the practitioners there and it helps me keep up with trends in areas to which I am not regularly exposed. Andrew Rathbun & crew have really done an outstanding job with it. This post is a direct result of a question that was asked on DFIR Discord, and, quite frankly, my lack of knowledge about a particular piece of hardware.
The question was about the capabilities of the powered-off tracking feature in iOS 15, and how it related (if at all) to remote wiping. This post, while not really “forensic-y,” will answer a few questions that can help examiners and investigators safely handle newer iOS devices. Plus, it is related to a previous post I wrote; this was the post I intended to write a few months ago.
According to my testing, the short answer is, as of iOS 15.0.2 (15.1 was released while I was writing this), an iPhone can not be wiped while it is powered off. There are some other nuances about powered-off tracking abilities that are important to know, and this post will describe those below.
To test this feature, I used an iPhone 11 and 12 Pro, both running iOS 15.0.2. Both of these devices have Apple’s U1 chip (ultra wide Bluetooth), which makes the powered off tracking feature possible. i-Devices that do not have this chip are unable to be tracked while powered off.
Testing, Testing, 1-2-3
If you read the iCloud Lies article you already know the setup. I gave the powered-off iPhone 12 Pro to my spouse while she left to run errands. I confirmed that her device was running 15.0.2, Bluetooth was turned on, and it was enrolled in the FindMy network. The iPhone 12 Pro was merely turned off; the cellular, Wi-Fi, and Bluetooth radios were enabled when I powered down. See Figure 1.
The 12 Pro was off, but was within tracking distance of my other i-Devices, including an iPad that was also using Bluetooth, so the 12 Pro could easily be located. Note the time it was last seen (6 minutes ago- red box), and the time of the screenshot (07:37 – green arrow & box). Now see Figure 2. Note that my location is depicted by the AirPods Pro icon (and sometimes an iPad icon).
I knew where my spouse was going and the route she was taking, so the location seen in Figure 2 is accurate (purple box). At this point, the only thing that was near the 12 Pro was the iPhone 11. But note the distance from my location (5.2 miles – blue arrow) and the time last seen (2 minutes ago – red box), and the time of the screenshot (07:39 – green box). Figures 1 and 2 are a good example of something I noticed during the testing: there was a delay between when the 12 Pro was seen and when FindMy was updated with the new location. I observed delays in the FindMy updates anywhere between one to 10 minutes. The time lapse was long enough for me to turn on “Notify When Found” and “Mark As Lost” in hopes that they would force FindMy to update, but that did not seem to have any effect. If you find yourself having to track a device, just know there can be delays in updates from FindMy, so some patience may be needed.
The next update is shown in Figure 3, and it only shows the approximate location of the 12 Pro. Again, I knew the route being taken, so the approximation was still accurate, but, I noticed that occasionally I would only get an approximate location versus an exact one. A minute later, I got another update seen in Figure 4.
The takeaway here is that FindMy works with a U1 device while it is powered off.
My spouse had arrived at one of her destinations, so I waited about fifteen (15) minutes and then initiated the remote wipe. To see how this looks from a user’s standpoint, see Figures 5, 6, & 7. Note the highlighted language in the red box in Figure 5.
Once I entered the iCloud password, the wiping command was confirmed, and I was brought back to the main FindMy screen. See Figure 8. Notice the status seen in the red box.
After I initiated the wipe, there was nothing. My spouse said the phone made no noises, and showed no signs of activity. She left her location about 12 minutes later. Figure 9 still shows “Erase Pending…” along with an approximate location. Because I knew where she was going, and the route she would take, the location is approximate. I got an exact location about a minute later (Figures 10 and 11).
On the way to her next location, my spouse stopped at a Sheetz (gas station). See Figure 12. Note the erase is still pending.
I wanted to check on iCloud and see how it was handling the powered-off tracking. The results were not surprising. See Figure 13.
If you read the iCloud Lies post, you will not be surprised by this. The location iCloud is reporting is no where near where the phone was actuall located (the last time iCloud saw the 12 Pro was four (4) hours prior to the screenshot). Interestingly, iCloud does report the “Erase Pending” status. If you have not read the iCloud Lies post, I encourage you to do so.
The 12 Pro came back to me about an hour later. The phone was powered off and did not show any signs of activity. The “Erase Pending” status was still showing while the phone was within Bluetooth distance (roughly 30 feet) of several other i-Devices. The status never changed.
One thing I did want to test was how this would work in a simulated lab environment. At my previous lab our work area had available, password-protected Wi-Fi networks and Bluetooth signals (from other examiners’ personal devices and other staff who may be walking by with their devices), but no cellular service. I imagined a worst case scenario: a phone had been lawfully seized, but the seizing individual forgot to disable the radios on the phone and turned it off in that state. To simulate this, I removed the SIM card from the 12 Pro (for the “no cellular service”), but left the Wi-Fi and Bluetooth radios on. My current office area had multiple Wi-Fi networks available (both in 2.4 and 5 GHz), but each network was password protected; the 12 Pro did not have access to these networks. Additionally, there were multiple i-Devices around me, including an iPhone 11 (U1 device), AppleWatch 6, & a current generation iPad Air, all with Bluetooth enabled. I ran this test multiple times, and snagged a video of it during the last test (there is no audio in the video). See the results below.
Note: I am aware removing the SIM card from an iPhone changes its state; the removal was merely to simulate the lack of cellular service. The decision to remove the SIM card from an iPhone is one that needs to be made at the time of seizure based on the circumstances surrounding the seizure.
As is seen in the video, even with the Wi-Fi and Bluetooth radios enabled, the 12 Pro was still not able to receive the wipe command. However, had the phone been able to establish a cellular connection or been connected to one of the available Wi-Fi networks, it would have been game over.
There has been some concern about the iOS 15 powered-off tracking feature and how/if it was related to the ability to remotely wipe an iPhone. The good news is, for now, that the two are not related; an iPhone can not be wiped while it is powered off. Obviously, Apple can always change this, however, existing practices (i.e. disabling all radios on an iPhone or the use of a Faraday enclosure to prevent outside communication) will still protect an iPhone from remote wipes…and remote tracking (powered or not).
Keep in mind that powered-off tracking does introduce unique OpSec challenges should all radios on an iPhone not be disabled, especially at the time of seizure.
I find this a bit odd, but I am going to quote myself here (from my iCloud article): “It is absolutely critical that personnel responsible for seizure, storage, and examinations of i-Devices ensure all radios are disabled on i-Devices while in their custody.”