The FBI has been unable to access a Washington Post reporter’s seized iPhone because it was in Lockdown Mode, a sometimes overlooked feature that makes iPhones broadly more secure, according to recently filed court records.
The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter , Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.
“Because the iPhone was in Lockdown mode, CART could not extract that device,” the court record reads, referring to the FBI’s Computer Analysis Response Team , a unit focused on performing forensic analyses of seized devices. The document is written by the government, and is opposing the return of Natanson’s devices.
The FBI raided Natanson’s home as part of its investigation into government contractor Aurelio Perez-Lugones, who is charged with, among other things, retention of national defense information . The government believes Perez-Lugones was a source of Natanson’s, and provided her with various pieces of classified information. While executing a search warrant for his mobile phone, investigators reviewed Signal messages between Pere-Lugones and the reporter, the Department of Justice previously said .
Then, the government obtained search warrants for Natanson’s residence, vehicle, and person to seize her electronic devices. Those warrants included language that would have legally allowed them to press Natanson’s fingers onto the devices, or hold them up to her face, to unlock them if biometrics were enabled .
Upstairs in Natanson’s residence, the FBI found a powered-off silver Macbook Pro, an Apple iPhone 13, a Handy branded audio recording device, and a Seagate portable hard drive, according to the court record.
“The iPhone was found powered on and charging, and its display noted that the phone was in ‘Lockdown’ mode,” the court record says.
A screenshot from the court record.
The court record mentioning Lockdown Mode was filed on January 30th, around two weeks after the FBI raided Natanson’s residence, indicating the FBI has not been able to access the iPhone during that time.
Apple primarily markets Lockdown Mode as a feature to mitigate remote access spyware, such as that sold by companies like NSO Group to government agencies. “To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all,” Apple’s website reads . Essentially, Lockdown Mode makes some changes to how iOS works to make it harder for third parties to hack into an iPhone. It blocks most message attachment types; loads webpages differently; and stops FaceTime calls unless you’ve previously called that person in the last 30 days.
... continue reading