The FBI has been unable to access a Washington Post reporter’s seized iPhone because it was in Lockdown Mode, a sometimes overlooked feature that makes iPhones broadly more secure, according to recently filed court records.
The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.
“Because the iPhone was in Lockdown mode, CART could not extract that device,” the court record reads, referring to the FBI’s Computer Analysis Response Team, a unit focused on performing forensic analyses of seized devices. The document is written by the government, and is opposing the return of Natanson’s devices.
The FBI raided Natanson’s home as part of its investigation into government contractor Aurelio Perez-Lugones, who is charged with, among other things, retention of national defense information. The government believes Perez-Lugones was a source of Natanson’s, and provided her with various pieces of classified information. While executing a search warrant for his mobile phone, investigators reviewed Signal messages between Pere-Lugones and the reporter, the Department of Justice previously said.
Then, the government obtained search warrants for Natanson’s residence, vehicle, and person to seize her electronic devices. Those warrants included language that would have legally allowed them to press Natanson’s fingers onto the devices, or hold them up to her face, to unlock them if biometrics were enabled.
Upstairs in Natanson’s residence, the FBI found a powered-off silver Macbook Pro, an Apple iPhone 13, a Handy branded audio recording device, and a Seagate portable hard drive, according to the court record.
“The iPhone was found powered on and charging, and its display noted that the phone was in ‘Lockdown’ mode,” the court record says.
The court record mentioning Lockdown Mode was filed on January 30th, around two weeks after the FBI raided Natanson’s residence, indicating the FBI has not been able to access the iPhone during that time.
Apple primarily markets Lockdown Mode as a feature to mitigate remote access spyware, such as that sold by companies like NSO Group to government agencies. “To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all,” Apple’s website reads. Essentially, Lockdown Mode makes some changes to how iOS works to make it harder for third parties to hack into an iPhone. It blocks most message attachment types; loads webpages differently; and stops FaceTime calls unless you’ve previously called that person in the last 30 days.
A small section of the Lockdown Mode page also mentions mitigations around connecting an iPhone to an external accessory. “Device connections: To connect your iPhone or iPad to an accessory or another computer, the device needs to be unlocked,” the Lockdown Mode page says. “To connect your Mac laptop with Apple silicon to an accessory, your Mac needs to be unlocked and you need to provide explicit approval.” Mobile forensics tools such as Graykey and Cellebrite, which law enforcement use to break into phones, work by physically connecting to a phone to then unlock them.
“Many advanced forensic techniques and law enforcement tools rely on vulnerabilities that Lockdown Mode explicitly blocks or limits,” Andrew Garrett, CEO of digital forensics firm Garrett Discovery, told 404 Media.
Neither the Washington Post nor Apple responded to a request to comment. The FBI declined to comment.
There is a constant cat and mouse dynamic between the companies that make mobile phones and their operating systems, namely Apple and Google, and the firms making tools to break into those devices. In 2024, 404 Media revealed Apple quietly introduced code that was rebooting iPhones after they had not been interacted with for a period of time, making them harder for police to unlock. Broadly, it is harder for authorities to crack devices that have been powered off or not unlocked since switched on, a state known as Before First Unlock (BFU).
The FBI was still able to access another of Natanson’s devices, namely a second silver Macbook Pro. “Once opened, the laptop asked for a Touch Id or a Password,” the court record says. Natanson said she does not use biometrics for her devices, but after investigators told her to try, “when she applied her index finger to the fingerprint reader, the laptop unlocked.” The court record says the FBI has not yet obtained a full physical image of the device, which provides an essentially complete picture of what was stored on it. But the agents did take photos and audio recordings of conversations stored in the laptop’s Signal application, the court record says.