В iOS 18.1 Apple has introduced a feature that reboots the iPhone if it has not been unlocked for a certain period of time. This prevents law enforcement from gaining access to data.
Previously was reported that law enforcement officials had noticed that Apple iPhones stored for inspection were mysteriously rebooting. At the time, the reason was unclear. The OS code forces the device to reboot into a more secure state.
«Apple has indeed added a feature in iOS 18.1 called «reboot with no activity». This is implemented in keybagd and the AppleSEPKeyStore kernel extension. It doesn’t seem to have anything to do with the state of the phone/wireless network. The key store is used when unlocking the device», — says Dr. Jiska Klassen, head of a research team at the Hasso Plattner Institute, Germany. The researcher also published screenshots of the recovered code.
In a private chat between law enforcement and forensic experts, Christopher Vance, a forensic scientist at Magnet Forensics, said:
«We have identified code in iOS 18 and above that is an inactivity timer. This timer will force devices in the AFU state to reboot to the BFU state after a set time, which we also determined to be».
AFU stands for After First Unlock — when someone, presumably the owner of the phone, has unlocked the device at least once after turning it on. This state makes it easier for law enforcement to unlock the phone. BFU, Before First Unlock — when the user has not unlocked the phone after it was turned on, usually making it more difficult.
«The reboot timer is not tied to any network or charging functions, but only to the inactivity of the device since the last lock», — Vance writes.
«Remember that the real threat is not the police, but people who steal your iPhone for malicious purposes. This feature means that if your phone is stolen, thieves won’t be able to get into it for months until they develop jailbreaking technology. I bet that rebooting after a reasonable period of inactivity probably won’t inconvenience anyone, but it will make your phone much safer. So it seems like a good idea,» says Matthew Green, a cryptographer and assistant professor at Johns Hopkins University.
Corellium founder Chris Wade said that after the fourth day of being locked, the iPhone reboots. Apple has not yet responded to inquiries about reboots. Experts urge law enforcement to collect evidence from the phones as soon as possible.
Source: 404 Media