Apple Intelligence was the most notable upgrade that arrived on iPhones with the iOS 18 series of updates. But it seems Apple reinforced the security protocols in the background that could prevent bad actors from gaining unauthorized access to iPhones that haven’t been unlocked in a while by their legitimate owner.
Earlier this month, 404Media reported that law enforcement officials are troubled by iPhones that are mysteriously rebooting. Citing a report courtesy of officials in Michigan, the outlet notes that the reboots are hampering the ability to access what’s stored on the phones through brute-force unlock methods.
Following the report, Dr.-Ing. Jiska Classen, a wireless and mobile security researcher at the Hasso Plattner Institute, shared on social media about a new iOS 18.1 feature called inactivity reboot. It kicks into action when an unlock action is attempted on an iPhone.
“While most people won’t have their phone forensically analyzed, many more will have their devices stolen. It protects user data in both cases,” she explained. The whole system is tied to patterns of inactivity and how a phone taps into a secure state after being restarted.
Specifically, a phone enters a Before First Unlock (BFU) state following a restart. It only exits that stage after the phone has been unlocked. BFU is a critical security measure, as it encrypts files individually on the phone, which means they can be accessed only after the phone has been unlocked.
On iPhones, unlocking it after a restart (or the BFU phase) generates a decryption key, which subsequently decrypts the files and allows access to them. “Almost all the content of an iPhone is encrypted until the point when the user unlocks it to enable the phone to start up,” explains Celleberite, a company that makes devices used by law enforcement to extract data from phones.
The BFU state doesn’t seem to block access to all data, but it does impose some serious restrictions. “Remember, if you seize an iPhone and it is already powered on, try to keep it that way,” Cellebrite warns investigators in another blog post.
Apple’s new inactivity reboot system throws another obstacle in the way of accessing the data on an iPhone even if it hasn’t been unlocked in a while, thanks to the automatic reboot process that puts the phone in BFU mode.
Now, the BFU state itself is not impenetrable on its own. Cellebrite claims that its Premium package — which includes a UFED device and special software — can help extract data from devices in the BFU state.
However, as per a research paper by experts at the Department of Electrical Engineering (Faculty of Engineering, Universitas Indonesia), they could “see just around 40% of the media obtained in BFU locked device extraction” using the Cellbrite Premium system.
Apple hasn’t officially commented on the inactivity reboot system that it implemented with iOS 18.1 yet. However, the company still cooperates with law enforcement authorities to unlock iPhones with proper warrant or legal authorization.
