Apple has added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically reboot after long idle periods to re-encrypt data and make it harder to extract.
While the company has yet to officially confirm this new "inactivity reboot" feature, law enforcement officers were the first to discover it after observing suspects' iPhones restarting while in police custody, as first reported by 404 Media.
This switches the idle devices from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where the devices are more challenging to break using forensic phone unlocking tools.
Furthermore, DFU makes extracting stored data harder, if not impossible, since even the operating system itself can no longer access it using encryption keys stored in memory.
"Apple added a feature called "inactivity reboot" in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension," as Hasso-Plattner-Institut researcher Jiska Classen explained.
"It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device. So if you don't unlock your iPhone for a while... it will reboot!"
Simply put, on iOS devices, all data is encrypted using an encryption key created when the operating system is first installed/set up.
GrapheneOS told BleepingComputer that when an iPhone is unlocked using a PIN or biometric, like Face ID, the operating system loads the encryption keys into memory. After this, when a file needs to be accessed, it will automatically be decrypted using these encryption keys.
However, after an iPhone is rebooted, it goes into an "at rest" state, no longer storing encryption keys in memory. Thus, there is no way to decrypt the data, making it much more resistant to hacking attempts.
If law enforcement or malicious actors gain access to an already locked device, they can use exploits to bypass the lock screen. Since decryption keys are still loaded into memory, they can access all of the phone's data.
Rebooting the device after an idle period will automatically wipe the keys from memory and prevent law enforcement or criminals from accessing your phone's data.
An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer earlier.
Comments
h_b_s - 3 days ago
Meant to stop thieves from stealing an iPhone after the owner unlocks it in drive by attacks.
If the phone is just going to reboot in a few days, and various sensitive functions are protected by asking for the PIN a second time then iPhones become vulnerable for much narrower time slices. They're much less valuable to thieves trying to drain accounts or move the stolen phones. That won't help people if they are foolish enough to use a banking app that doesn't ask for PINs on access and transaction, however.
It's not about circumventing legitimate police access. It's about protecting their customers from physical assault aimed at stealing their phone.
oofus - 2 days ago
Cool story bro. Any sources to back up your wild imagination? Otherwise, it seems like bad actors can already access the key in memory on an unlocked phone. Seems more likely to interfere with legitimate attempts to retain access by law enforcement on a locked device.
powerspork - 1 day ago
Law enforcement and bad actors are not mutually exclusive groups. They should not have free reign over any phone they decide they want to look at. If they need data so bad, they should follow proper channels and query this information from the cloud providers, which is where it is anyways.