iOS 18 added secret and smart security feature that reboots iThings after three days

iOS 18 added secret and smart security feature that reboots iThings after three days

November 19, 2024 at 03:38AM

Apple’s iOS 18 introduces a security feature that reboots devices after 72 hours of inactivity, enhancing data protection by keeping files encrypted in Before First Unlock (BFU) mode. This reduces access risks for stolen devices, impacting both criminals and forensic analysts, while emphasizing the urgency for law enforcement data extraction.

### Meeting Takeaways:

1. **New Security Feature in iOS 18**:
– Apple introduced an undocumented security feature in iOS 18 that reboots devices after 72 hours of inactivity.

2. **Implications of Reboot Mechanism**:
– The reboot brings devices into a Before First Unlock (BFU) state, where files are encrypted.
– This limits access to data on stolen or seized devices, favoring law enforcement over criminals.

3. **BFU vs. AFU**:
– In BFU, access to files is restricted and encrypted.
– In After First Unlock (AFU), the device is less secure, and most encryption keys are loaded for easier access, although some data still requires a passcode.

4. **Research Findings**:
– Security researcher Jiska Classen reverse-engineered the feature and confirmed the 72-hour reboot timer.
– No evidence of intra-device communication triggering the reboot was found; reboots in older devices may be due to software bugs.

5. **SystemMemoryReset**:
– Magnet Forensics indicated that some reboots might be related to memory maintenance logged as “SystemMemoryReset.”

6. **Technical Insights**:
– Classen identified the “inactivity_reboot” string in iOS 18.1 and 18.2, outlining the mechanism where the Security Enclave Processor communicates the time elapsed since the last unlock to the kernel for reboot initiation.

7. **Impact on Forensic Analysis**:
– Forensic analysts may delay reboots for data extraction but must operate within the three-day window.
– Tools like Cellebrite might obtain limited system data in BFU, with some user data available from specific file types.

8. **Conclusion**:
– The inactivity reboot significantly alters the threat landscape, particularly disadvantaging criminals while increasing time pressure on law enforcement for effective data extraction.

Full Article