iOS 18 added secret and smart security feature that reboots iThings after three days
- Reference: 1732005075
- News link: https://www.theregister.co.uk/2024/11/19/ios_18_secret_reboot/
- Source link:
This has implications for anyone trying to maintain access to a stolen or lawfully seized iOS device without a valid passcode.
When an iPhone reboots, it enters a state called [1]Before First Unlock (BFU) during which the files it contains are encrypted. Once it has been unlocked with a passcode, its state changes to After First Unlock (AFU). At that point the machine is less secure and files become mostly accessible because most encryption keys have been loaded into device memory. But other protections like the lock screen remain, and accessing some data – like Apple Mail, Apple Health, Keychain and location data – may still require a passcode.
[2]
If they can’t get full access using a passcode, AFU is the preferred state for attackers and law enforcement agencies because the barriers to access are lower. So having an iPhone reboot itself after 72 hours of inactivity enter BFU reduces the window of opportunity for anyone trying to access data on Apple’s hardware.
[3]
[4]
In the absence of official details from Apple, security researcher Jiska Classen has [5]published an account of her reverse engineering efforts, which reveal how Apple implemented its Inactivity Reboot mechanism.
Classen undertook the exploration following reports that iPhones running iOS 18 have been rebooting after three days, even when completely isolated from a wireless network, and that iDevices can direct other Apple mobile hardware with older operating systems to reboot.
[6]
Classen was able to confirm the 72-hour reboot timer, but found no evidence of intra-device communication capable of triggering a reboot. To the extent older iOS devices are rebooting, she said there's probably another reason – such as a software bug.
Magnet Forensics [7]notes that some iOS device reboots may follow from memory maintenance through a process identified in logs as " [8]SystemMemoryReset ."
To find evidence of iOS 18's time-based rebooting behavior, Classen scoured [9]a GitHub repo maintained by fellow researcher "blacktop" that contains a version history of the strings used in iOS releases.
[10]Will passkeys ever replace passwords? Can they?
[11]T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears
[12]NIST trains AI to hear the 'oh crap' moment before batteries explode
[13]Teen serial swatter-for-hire busted, pleads guilty, could face 20 years
Classen eventually found the string "inactivity_reboot" in iOS 18.1 and iOS 18.2. By delving into Apple's Security Enclave Processor (SEP) and the AppleSEPKeyStore kernel module, she found that the SEP tells the kernel module when the last unlock time has exceeded three days. The kernel module then tells user space to reboot, with the SpringBoard home screen manager handling the process termination to avoid data loss.
A [14]time-lapse video demonstration shows that an iPhone running iOS 18.2 beta 2 rebooting after being powered on and left alone for 72 hours.
[15]
"Security-wise, this is a very powerful mitigation," wrote Classen in her post. "An attacker must have kernel code execution to prevent an inactivity reboot. This means that a forensic analyst might be able to delay the reboot for the actual data extraction, but the initial exploit must be run within the first three days."
Forensic analysis tools [16]like Cellebrite can obtain [17]mostly system data if limited to BFU access – though some user data may be available from .KTX files that Apple uses to display thumbnails of SMS messages.
Classen observed that "Inactivity reboot will change the threat landscape for both thieves and forensic analysts, but asymmetrically so: while law enforcement is under more time pressure, it likely completely locks out criminals from accessing your data to get into your bank accounts and other valuable information stored on your iPhone." ®
Get our [18]Tech Resources
[1] https://blogs.dsu.edu/digforce/2023/08/23/bfu-and-afu-lock-states
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zzxv14V9VxBt4bCF0GpEeAAAAJA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zzxv14V9VxBt4bCF0GpEeAAAAJA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zzxv14V9VxBt4bCF0GpEeAAAAJA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zzxv14V9VxBt4bCF0GpEeAAAAJA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.magnetforensics.com/blog/understanding-the-security-impacts-of-ios-18s-inactivity-reboot/
[8] https://www.reddit.com/r/iphone/comments/xh17cw/is_there_anyone_knows_what_is_systemmemoryreset/
[9] https://github.com/blacktop/ipsw-diffs
[10] https://www.theregister.com/2024/11/17/passkeys_passwords/
[11] https://www.theregister.com/2024/11/18/tmobile_us_attack_salt_typhoon/
[12] https://www.theregister.com/2024/11/18/battery_fail_sound_ai/
[13] https://www.theregister.com/2024/11/18/teenage_serial_swatterforhire_busted/
[14] https://www.youtube.com/watch?v=QOe2rDKOWMk
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zzxv14V9VxBt4bCF0GpEeAAAAJA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2018/06/14/apple_usb_restricted_mode_hourly/
[17] https://cellebrite.com/en/what-can-be-recovered-from-bfu-data-collection/
[18] https://whitepapers.theregister.com/
Anything that makes life harder for companies like Cellebrite
Is a good thing.
Yeah yeah people will say "what about terrorists" but for every legitimate terrorist whose phone the cops want to break into there are probably 10,000 phones of people innocent of crimes they are suspected of or are only guilty of entering the US while having a Muslim name.
I just wish the interval was configurable. 72 hours still gives them too much time as far as I'm concerned. You should be able to configure 12 hours and 1 hour instead of 72 if you want. If I had those options I'd set it for 12 hours because if I go 12 straight hours without ever once unlocking my phone then I'm not going to care if it reboots. And I'd set it to 1 hour anytime I was crossing a border - heck in that case I'd want a 1 hour reboot timer regardless of activity so if they grabbed it out of my hands while it was unlocked they couldn't do much with it!
"smart security feature"...
It was probably just a bug...
And when it was finally discovered they thought : "You know what ? Let's keep it in there and call it a 'feature'..."
"law enforcement is under more time pressure"
I'm all for it.
I've had more than enough of hearing how the police run amok through people's private data whether they have a case or not.
If you can't get a warrant, you shouldn't be looking at my data.
Microsoft - Ahead with security!
Windows has been secured like this for years and more - instead of 3 days, they reboot after 3 hours!