Apple has added a brand new safety function with the iOS 18.1 replace launched final month to make sure that iPhones routinely reboot after lengthy idle durations to re-encrypt information and make it more durable to extract.
Whereas the corporate has but to formally affirm this new “inactivity reboot” function, legislation enforcement officers have been the primary to find it after observing suspects’ iPhones restarting whereas in police custody, as first reported by 404 Media.
This switches the idle units from an After First Unlock (AFU) state to a Earlier than First Unlock (BFU) state, the place the units are more difficult to interrupt utilizing forensic cellphone unlocking instruments.
Moreover, DFU makes extracting saved information more durable, if not unimaginable, since even the working system itself can not entry it utilizing encryption keys saved in reminiscence.
“Apple added a function known as “inactivity reboot” in iOS 18.1. That is carried out in keybagd and the AppleSEPKeyStore kernel extension,” as Hasso-Plattner-Institut researcher Jiska Classen explained.
“It appears to don’t have anything to do with cellphone/wi-fi community state. Keystore is used when unlocking the machine. So in the event you do not unlock your iPhone for some time… it is going to reboot!”
Merely put, on iOS units, all information is encrypted utilizing an encryption key created when the working system is first put in/arrange.
GrapheneOS instructed BleepingComputer that when an iPhone is unlocked utilizing a PIN or biometric, like Face ID, the working system masses the encryption keys into reminiscence. After this, when a file must be accessed, it is going to routinely be decrypted utilizing these encryption keys.
Nevertheless, after an iPhone is rebooted, it goes into an “at relaxation” state, not storing encryption keys in reminiscence. Thus, there isn’t a method to decrypt the info, making it way more proof against hacking makes an attempt.
If legislation enforcement or malicious actors achieve entry to an already locked machine, they’ll use exploits to bypass the lock display screen. Since decryption keys are nonetheless loaded into reminiscence, they’ll entry all the cellphone’s information.
Rebooting the machine after an idle interval will routinely wipe the keys from reminiscence and forestall legislation enforcement or criminals from accessing your cellphone’s information.
An Apple spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier.
