ElcomSoft fails on iPhone 17 locks

iPhone forensics is a niche world, but the stakes are simple — can investigators pull data off a locked phone, or not? This week, ElcomSoft answered that question for Apple’s newest hardware with a pretty blunt no. Its updated iOS Forensic Toolkit can now do low-level extraction on most devices running iOS 26, but the iPhone 17 line and M5 iPads are excluded because Apple’s new Memory Integrity Enforcement blocks the exploit path the tool depends on. (elcomsoft.com) ### What actually failed? ElcomSoft’s tool uses a sideloaded “extraction agent” — basically a small app that bundles privilege-escalation exploits, breaks out of the sandbox, and then reaches the file system and keychain data an examiner wants. That path now works across much more of Apple’s software stack than before, including the full iOS 17 branch, much of iOS 18, and most de(elcomsoft.com) on iPhone 17 models at all. (blog.elcomsoft.com) ### Why does the iPhone 17 stop it? The short version is hardware. Apple added Memory Integrity Enforcement, or MIE, to devices built on the A19, A19 Pro, and M5 chips. The system tags memory allocations and requires matching tags on access. If the tags do not match during an exploit attempt, the processor throws an immediate exception and (blog.elcomsoft.com)block” to device exploitation. (blog.elcomsoft.com) ### Is this just a software patch? No — and that is the important part. Software bugs get patched, then new bugs get found. MIE is different because Apple pushed the defense down into the hardware-software boundary. Apple framed it as always-on memory safety designed to raise the cost of the kind of memo(blog.elcomsoft.com) work with the agent, current-generation chips do not. (security.apple.com) ### Does that mean no data can be extracted? Not quite. It means this specific low-level, agent-based route is gone on the newest hardware. ElcomSoft still has other acquisition modes, including logical and bootloader-based methods, but those are not interchangeable. Logical extraction usually gets less. Bootloader methods depend on older hardware flaws(security.apple.com)appears, the ceiling on what examiners can collect drops with it. (elcomsoft.com) ### Why do forensic labs care so much about “low-level” access? Because low-level access is where the good stuff lives — the full file system, more app data, and the secrets needed to decrypt keychain material. Think of it as the difference between looking through the front window and getting the keys to the building. If a tool can only do logical acquisition, investigators may s(elcomsoft.com)se in serious criminal, intelligence, or incident-response work. (blog.elcomsoft.com) ### Is Apple targeting forensic vendors here? Apple is not saying that directly. Its public framing is spyware resistance and memory safety, not “anti-forensics.” But the same exploit chains that spyware vendors use are often the ones commercial forensic tools rely on. So a defense built to break high-end exploitation also breaks lawful-acc(blog.elcomsoft.com)it is just more visible now because a vendor publicly admitted the newest iPhones are out of reach. (security.apple.com) ### Why is this landing now? Because ElcomSoft’s April 29 release expanded support everywhere else. The contrast makes the gap obvious. The company just pushed agent-based extraction forward to iOS 26 on most supported devices, after earlier extending coverage through iOS 17 and much of iOS 18. In other words, the tool got better overall right as Apple’s newest silicon set a fresh hard limit. (elcomsoft.com) ### Bottom line? The news is not that iPhone forensics died. It is narrower, and more important: one of the established commercial paths for deep extraction now stops at the iPhone 17. If that holds, Apple’s newest phones are not just incrementally harder to break into — they mark a real boundary between older iPhone exploitation and a new hardware era. (elcomsoft.com)