Apple quietly added a new feature in iOS 18.1 that restarts the device if it hasn’t been unlocked for a while. This reset helps secure iPhones and makes it tougher for police to access stored data, as multiple iPhone security experts have pointed out.
On Thursday, it was reported that law enforcement officials were puzzled by iPhones in storage suddenly rebooting on their own. Initially, the cause was a mystery, leaving officials guessing why they were being locked out. However, according to 404 Media, experts have started piecing together the reason.
According to Dr.-Ing. Jiska Classen from the Hasso Plattner Institute, Apple added an "inactivity reboot" feature in iOS 18.1. This was confirmed in her tweet after 404 Media shared the story, showing screenshots of what seems to be the relevant code.
Apple indeed added a feature called "inactivity reboot" in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension. It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device.https://t.co/ONZuU9zVt2 https://t.co/4ORUqR6P6N pic.twitter.com/O3jijuqpN0
— Jiska (@naehrdine) November 8, 2024
In a private group chat for law enforcement and forensic experts, Christopher Vance from Magnet Forensics confirmed, "We found code in iOS 18 and above that triggers an inactivity timer. When this timer runs out, the device reboots, moving from an AFU state to a BFU state." AFU, or “After First Unlock,” means the phone has been unlocked once since it was turned on, making it easier for law enforcement to access. BFU, or “Before First Unlock,” makes it much harder for forensic tools to crack the device.
One law enforcement expert shared that the reboot timer doesn’t rely on network or charging status—just the inactivity period.
This change in iOS is the latest move in the ongoing tug-of-war between phone makers like Apple, aiming to protect user data, and law enforcement seeking access to data on seized devices. Initially, police believed the reboots were due to seized iPhones not being on a cellular network or, bizarrely, iOS 18 devices triggering other nearby iPhones to reboot. But experts now say the timer-based reboot seems to be the actual cause.
Experts like Dr.-Ing. Jiska Classen sees this as a great move from Apple. Sure, most people won’t ever have their phones under forensic analysis, but way more will deal with theft—and this protects their data in both situations.
Law enforcement, however, isn’t thrilled. Vance from Magnet Forensics advised his group chat to collect data from AFU iOS 18 devices as quickly as possible, saying, “It’s crucial to get data from your AFU devices with iOS 18 as soon as you can.”
8 Comments - Add comment