Apple quietly introduced code into iOS 18.1 which reboots the device if it has not been unlocked for a period of time, reverting it to a state which improves the security of iPhones overall and is making it harder for police to break into the devices, according to multiple iPhone security experts.
On Thursday, 404 Media reported that law enforcement officials were freaking out that iPhones which had been stored for examination were mysteriously rebooting themselves. At the time the cause was unclear, with the officials only able to speculate why they were being locked out of the devices. Now a day later, the potential reason why is coming into view.
“Apple indeed added a feature called ‘inactivity reboot’ in iOS 18.1.,” Dr.-Ing. Jiska Classen, a research group leader at the Hasso Plattner Institute, tweeted after 404 Media published on Thursday along with screenshots that they presented as the relevant pieces of code.
In a law enforcement and forensic expert only group chat, Christopher Vance, a forensic specialist at Magnet Forensics, said “We have identified code within iOS 18 and higher that is an inactivity timer. This timer will cause devices in an AFU state to reboot to a BFU state after a set period of time which we have also identified.” AFU refers to After First Unlock, which is when somebody, presumably the phone’s owner, has unlocked the device at least once since being powered on, and which generally can make it easier for law enforcement to unlock. BFU, or Before First Unlock, is when a user has not unlocked the phone since it was turned on, and is typically a harder state for forensic tools to crack.
“The reboot timer is not tied to any network or charging functions and only tied to inactivity of the device since last lock,” he wrote. 404 Media obtained multiple screenshots of Vance’s messages in the group chat from a source. 404 Media granted them anonymity because members are typically not allowed to share communications from this group chat.
Magnet Forensics recently acquired Grayshift, the company that makes the phone unlocking tool GrayKey. Rick Andrade, a spokesperson for Magnet Forensics, declined to comment. “We can’t comment on specific issues, but as Chris said, we’re looking into it,” he wrote in an email.
Chris Wade, the founder of mobile analysis company Corellium, told 404 Media that after the fourth day of a device being in a locked state, the device reboots.
Apple did not respond to multiple requests for comment about the reboots and the inactivity feature sent on Thursday and Friday.
The iOS change is the latest skirmish in the ongoing battle between phone manufacturers like Apple, whose main motivation is protecting their users’ data, and forensic firms and law enforcement who want to extract data from seized devices. Initially, the law enforcement officials raising the alarm about the rebooting iPhones speculated that the lockouts were due to their seized iPhones not being connected to a cellular network, or perhaps even an iOS 18 device somehow telling other nearby iPhones to reboot themselves. The real explanation, based on what the multiple experts found, appears to be more about a certain amount of time passing rather than anything else.
“Remember that the real threat here is not police. It’s the kind of people who will steal your iPhone for malign purposes,” Matthew Green, a cryptographer and associate professor at Johns Hopkins University, told 404 Media. “This feature means that if your phone gets stolen, the thieves can’t nurse it along for months until they develop the tech to crack it.”
Green called the feature “a huge improvement in terms of security.” He added “I would bet that rebooting after a reasonable inactivity period probably doesn’t inconvenience anyone, but does make your phone a lot more secure. So it seems like a pretty good idea.”
Police may feel differently though. Vance from Magnet Forensics urged other members of the law enforcement and forensic expert group chat to collect evidence from AFU iOS 18 devices as soon as they can. “It is imperative that you collect the data from your AFU devices as soon as possible with iOS 18,” he wrote.