New iOS 18.1 Security Feature Reboots Your iPhone if It’s Inactive For Too Long
Toggle Dark Mode
Last week, we saw a report of law enforcement officials being concerned that iPhones were secretly communicating with each other to force reboots, frustrating law enforcement. However, while it seems these suspicions were indeed based on a change that Apple made in a recent iOS update, it’s not what police forensic investigators first thought.
When cops found that iPhones in storage were spontaneously rebooting, they initially believed that it was being caused by new iPhones running iOS 18 being introduced into the mix. The theory was that Apple had snuck some code into iOS 18 to clandestinely communicate with other nearby iPhones that had been removed from a cellular network to force them to reboot.
However, what’s happening is far simpler than what officials first suspected. It’s not that iPhones are communicating with each other, but rather that a change made in iOS 18.1 will cause an iPhone to self-reboot if it hasn’t been unlocked or used for an extended period of time. As we shared in an update to last week’s report, a security researcher who investigated the situation discovered that it was part of a new “inactivity reboot” feature in iOS 18.1 and had no bearing on whether other iPhones were nearby.
Following that discovery, 404 Media did some more digging and confirmed the feature while finding the length of time before a reboot occurs: four days.
In other words, any iPhone running iOS 18.1 or later that goes at least four days without being used will automatically reboot itself.
The problem for law enforcement officials is that an iPhone that’s been rebooted is much harder to hack. Many of the expensive tools used by forensic specialists rely on a locked iPhone being in an “AFU” state, short for “after first unlock.” This isn’t a special forensic term but rather an officially documented mode that refers to a state where certain information remains stored in memory in an unencrypted form. This differs from “BFU” or “before first unlock,” where nearly everything is encrypted until the user enters their passcode or password to decrypt it.
While there’s much more to the AFU/BFU modes, one practical example nearly everyone has experienced is Wi-Fi connections. When you reboot your iPhone, it won’t connect to a Wi-Fi network until you enter your passcode. That’s because the Wi-Fi password isn’t decrypted until you unlock your iPhone. Once you’ve done that, these will remain decrypted in memory, so you can connect to known Wi-Fi networks without having to unlock your device each time.
Although this latest change is undoubtedly frustrating for law enforcement, Apple’s goal is to make the iPhone as secure as possible against all forms of attack. It’s the same problem that’s been ongoing since Apple went up against the FBI in the infamous case of the San Bernardino shooter’s iPhone. Apple can and does comply with all lawful requests for access to information, but it can’t hand over what it doesn’t have, and it refuses to weaken security for its users by creating back doors that could allow the bad guys just as easily as the good guys.
By the same logic, when Apple improves security for its customers to make it more difficult for malicious hackers to get at their personal information, it also makes it much more difficult for law enforcement investigators to access personal information stored on a suspect’s iPhone. There’s simply no way to have it both ways.
Cryptographer and Johns Hopkins professor Matthew Green told 404 Media last week that he found it “utterly bizarre and amazing” that law enforcement officials had jumped to the conclusion that iOS 18 devices were rebooting each other. In this week’s follow-up, Green adds that the inactivity reboot makes a lot more sense and seems like “a pretty good idea” for overall security:
Remember that the real threat here is not police. It’s the kind of people who will steal your iPhone for malign purposes. This feature means that if your phone gets stolen, the thieves can’t nurse it along for months until they develop the tech to crack it. I would bet that rebooting after a reasonable inactivity period probably doesn’t inconvenience anyone, but does make your phone a lot more secure. So it seems like a pretty good idea.
It’s quite common for law enforcement investigators and criminals to keep iPhones on hand until they find ways to break their security. Remember that an iPhone sitting in a forensics lab — whether that’s one owned by police or an organized crime ring — isn’t receiving any iOS updates, so they can sit back and read Apple’s security release notes to discover new flaws that might allow them to access these iPhones in the future. Likewise, companies like GrayShift are playing the same cat-and-mouse game. While Apple is doing an excellent job of staying ahead of the curve, iPhones that haven’t received any iOS updates will eventually become vulnerable to these hacking tools.