Article Details
Scrape Timestamp (UTC): 2024-11-12 00:19:48.395
Original Article Text
Click to Toggle View
iPhones now auto-restart to block access to encrypted data after long idle times. Apple has added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically reboot after long idle periods to re-encrypt data and make it harder to extract. While the company has yet to officially confirm this new "inactivity reboot" feature, law enforcement officers were the first to discover it after observing suspects' iPhones restarting while in police custody, as first reported by 404 Media. This switches the idle devices from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where the devices are more challenging to break using forensic phone unlocking tools. Furthermore, DFU makes extracting stored data harder, if not impossible, since even the operating system itself can no longer access it using encryption keys stored in memory. "Apple added a feature called "inactivity reboot" in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension," as Hasso-Plattner-Institut researcher Jiska Classen explained. "It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device. So if you don't unlock your iPhone for a while... it will reboot!" Simply put, on iOS devices, all data is encrypted using an encryption key created when the operating system is first installed/set up. GrapheneOS told BleepingComputer that when an iPhone is unlocked using a PIN or biometric, like Face ID, the operating system loads the encryption keys into memory. After this, when a file needs to be accessed, it will automatically be decrypted using these encryption keys. However, after an iPhone is rebooted, it goes into an "at rest" state, no longer storing encryption keys in memory. Thus, there is no way to decrypt the data, making it much more resistant to hacking attempts. If law enforcement or malicious actors gain access to an already locked device, they can use exploits to bypass the lock screen. Since decryption keys are still loaded into memory, they can access all of the phone's data. Rebooting the device after an idle period will automatically wipe the keys from memory and prevent law enforcement or criminals from accessing your phone's data. An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer earlier.
Daily Brief Summary
Apple's recent iOS 18.1 update includes a new security feature causing iPhones to automatically reboot after being idle for extended periods.
This "inactivity reboot" aims to re-encrypt data and complicate unauthorized data extraction from devices in states such as After First Unlock (AFU).
Devices reboot to a Before First Unlock (BFU) state, a more secure condition where decryption keys are not loaded, making data access significantly more challenging.
Law enforcement discovered the feature when suspects' phones, held in custody, rebooted unexpectedly, complicating data extraction efforts.
The feature, independent of phone or network status, activates based on device inactivity alone, enhancing security against both law enforcement breaches and criminal exploits.
Once rebooted, iPhones require re-authentication, clearing encryption keys from memory, thus fortifying data against unauthorized access.
Apple has not provided an official statement on the feature, though its effectiveness in protecting user data has been highlighted by technology researchers and media reports.