FBI was not able to extract data from iPhone 13 in lockdown mode in high profile case

We know that iPhones (later than A14 chip) are pretty much secure in BFU. Now the question is, does Lockdown Mode completely remove the AFU attack vector or was this phone actually BFU. Either way it sounds like lockdown mode is very useful.:eye::eye:

“New court record from the FBI details the state of the devices seized from Washington Post reporter Hannah Natanson”

This is high profile espionage case related to leak of TOPSECRET documents, therefore probably all possible tech was used to gain access to the devices.

Page 5:

In the upstairs of the house, investigators located a powered-off silver MacBook Pro with a black case, an Apple iPhone 13*, a Handy branded audio recording device, and a Seagate portable hard drive. See id. ¶ 26. Investigators seized these devices. The iPhone was found powered on and charging, and its display noted that the phone was in “Lockdown” mode*

Page 6:

The Computer Analysis Response Team (CART) began processing each device to preserve the information therein. The Handy recorder and the Seagate portable drive have been processed, but no review has occurred. See id. ¶ 37. Because the iPhone was in Lockdown mode, CART could not extract that device*. See id. ¶ 35. Similarly, the personal MacBook Pro could not be imaged yet. See id. ¶ 36. The Garmin watch was not processed before this Cout’s Standstill Order, and no further processing will occur until further order of the Court. See id. ¶ 37*

original source

10 Likes

This should probably be spammed to every single journalist.

Or it’s a litmus test for how serious a journalist is. Is their iPhone on lockdown mode?

5 Likes

Thank you for yet another fantastic update on iPhone security!

Both her iPhone and her Mac were successful in preventing exploitation of her data.

This shows how much Apple really has taken security extremely seriously the last several years.

Lockdown mode, ADP, and now MIE in new chips have created very robust and very accessible security with a few settings in their devices

5 Likes

Tinfoil hat time! Lol

On my part that is.

Maybe this kind of news is to instill a false sense of security in users that engage in high risk activities with their phones.

I would never want to put that much faith into a device.

3 Likes

Would have been more effective to do active surveillance over time. Slowly load malware onto phones, install bugs in car etc.

Sending a message like a quick raid gets you nothing and puts all adjacent journalists on notice to conduct security reviews.

1 Like

I’m glad you acknowledge that this is very tinfoily.

3 Likes

The personal MacBook was in BFU, so assuming she has a strong password, all bets were off regardless.

You should try to think critically about this. If there is any case the government will use all available tools, it’s when Top Secret information is on the line. There is no evidence, much less any plausible reason to believe there is some conspiracy to obscure their true capabilities in this case.

6 Likes

So expressing an off the cuff opinion not labeled as fact is spreading disinformation?

Under my own admission I said it was a bit tin foily. It’s not a statement of fact.

I lack social skills and say stuff all the time not meaning to offend.

Maybe there’s gurus that know fact from fiction. I don’t and wouldn’t put that much trust in a device unless I had to in a last ditch effort. Thankfully I have no need for that sort of protection. :joy:

And your point about thinking critically? I have seen things in different fields of life that were a conspiracy till it wasn’t. So I am naturally going to gravitate some of what things I do know about into this field for reference.

How can I correct my responses as not to spread FUD?

Just keep my thoughts to myself?

2 Likes

I’m trying to get better with social skills. It’s my admission that “I don’t know”. :+1:

1 Like

and its display noted that the phone was in “Lockdown” mode

A technology literacy gap of the individual who authored this document to the court is possible. AFAIK iPhones do not report on a locked display the status of “lockdown” mode.

Of course, it does appear the phone was in some state that thwarted data recovery efforts, but I’m skeptical we know as fact the device is in “lockdown” mode. If it is - I assume it could only be beneficial.

I’m not suggesting the document intentionally presents false narratives or some other conspiracy to mislead the court and/or public. Simply curious how the government knows the iPhone is in lockdown mode given only the information tendered to the court in this document.

1 Like

My apologies, I think I was too harsh. My intention was simply to demonstrate that your theory doesn’t really stand up to scrutiny imo. I’ve edited my original message.

3 Likes

You gave me a lot to think about and reflect my own state of mind, intentions, biases and views.

I could see where what I said can be defeatist and discouraging.

The way I was seeing it is, most people including myself have no evidence these devices can’t be cracked perse. I have no evidence of either side.

It’s good to talk about these things and I need to make better replies as to why a say what I am saying.

That said, positive innovations towards privacy is awesome. But I know myself well enough it’s easy to become “Too” confident and let my guard down (if I was in such a situation I needed that much anonymity) fully trusting a device made by companies with a lot of money and are part of the bigger problem with their connections and practices.

Hell, I question my own wisdom running a phone made by one of the most invasive privacy companies on the planet! Lol

But I wouldn’t discourage others because I have no evidence there’s a problem and there may not be a problem. Until I learn more and gain confidence, I can’t in good faith tell someone that something is 100% safe. But we do the best we can with what we have access to.

I guess what I am saying and my intent is, don’t be complacent and have a false sense of security unless one darn well knows what they are doing based on their threat model.

Most people don’t, including myself. Not that I need to hide anything. But are those who do for legitimate reasons.

Yes, fight for privacy and keep learning and growing and keeping up to date as best as possible. But be cautious on the possible limitations of any device or software until one learns more and not just blindly accepting something is private and or anonymous.

That’s part of the reason I made a Post about apps collecting data. Maybe it’s nothing to be worried about for most of us. But for someone else, that’s one more datum point that the device they use is exposed.

I will definitely be willing to talk more about these sort of things if what I am saying is unclear. :slightly_smiling_face:

Really, it’s not a big deal. From reading this thread, this is how I viewed what just happened.

Go to YouTube or any other video hosting platform that you prefer that might have this, and look up this roughly 3 minute skit called “When a Text Conversation Goes Very Wrong - Key & Peele.”

3 Likes

Thank you! Enjoyed the video! :joy:

1 Like

I believe lockdown mode shows notifications with a specific hand blocking icon when it blocks something. Maybe that was a indicator. Also, we’re talking about the FBI CART here. They have lot’s of experience and based on public contracts, definitely use Magnet Forensics Graykey for initial access into iPhones. Explicitly saying lockdown mode vs unable to extract device are two different things.

My theories:

USB restriction bypass that graykey uses was blocked by lockdown mode
USB could’ve been successful but lockdown mode blocked the graykey agent from being deployed.
FBI assuming things and the new iOS 26 (Wired Accessories) feature is blocking their access.

extra:
FBI consulted with Magnet Forensics support and concluded the phone was in lockdown mode.

This case is very juicy, because if there’s a case where the FBI would want to use all of it’s forensic capabilities, it’s this one, as it includes TS leaks and the president mentioning it.

2 Likes

The Garmin reference is interesting. Some of them allow notifications to be received on the watch. I disabled it on mine because it’s all-or-nothing and iOS doesn’t play well with non-Apple Watches.

My personal opinion is the walls are closing in for digital forensic companies.

Even if you have exploits for the OS, you still need a way to physically get these exploits onto the device and run it. By hardening the USB port for example, you limit potential attacks.

A few well planned mitigations go a long way, and that is why Apple’s lockdown mode or GrapheneOS’s mitigations are so effective.

1 Like

Some interesting slides I found from the SANS DFIR Summit 2025 regarding lockdown mode. It’s mostly about macOS but mentions iOS briefly. Pay close attention to the company mentioned in the last screenshot. :eye:




I remember skimming through some iOS jailbreak discord 2 years ago and I would see people mentioning how some jailbreak devs were employed by Cellebrite, NDA’s, blah blah. Wouldn’t surprise me if Graykey and Cellebrite are using similar injection methods to jailbreaks and having the ex jb devs improve them in the shadows.

|

1 Like

Kinda amazing to think you can go to an Apple Store, buy an iPhone, put it in lockdown mode and be resistant to the best state sponsored remote attacks and the best forensics companies in the world.

Oh and you can watch Netflix and FaceTime your grandma with it too.

6 Likes

This thread just validated my decision to use my iPhone in lockdown mode all the time. I’ve noticed one website that has issues with it. Is there any way to whitelist the site or change any other setting to make it usable? Not the end of the world since it’s only one site.

Does Android or GrapheneOS have something similar to Lockdown Mode?