close
close

Association-anemone

Bite-sized brilliance in every update

iPhones now automatically restart to block access to encrypted data after long periods of inactivity
asane

iPhones now automatically restart to block access to encrypted data after long periods of inactivity

iPhones now automatically restart to block access to encrypted data after long periods of inactivity

Apple added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically restart after long periods of inactivity to re-encrypt data and make it harder to extract.

Although the company has yet to officially confirm this new “idle reboot” feature, law enforcement officials were the first to discover it after noticing suspects’ iPhones restarting while in police custody because first reported by 404 Media.

This switches idle devices from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where devices are more difficult to crack using forensic phone unlocking tools.

In addition, DFU makes extracting stored data more difficult, if not impossible, because even the operating system itself can no longer access it using the encryption keys stored in memory.

“Apple added a feature called ‘restart from inactivity’ in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension,” said Hasso-Plattner-Institut researcher Jiska Classen explicitly.

“It doesn’t seem to have anything to do with phone/wireless network status. Keystore is used when unlocking the device. So if you don’t unlock your iPhone for a while… it will reboot!”

iOS 18.1 Idle Restart feature

Simply put, on iOS devices, all data is encrypted using an encryption key created when the operating system is first installed/setup.

GrapheneOS told BleepingComputer that when an iPhone is unlocked using a PIN or biometric, such as Face ID, the operating system loads the encryption keys into memory. After this, when a file needs to be accessed, it will be automatically decrypted using these encryption keys.

However, after an iPhone is restarted, it enters a “sleeping” state, no longer storing encryption keys in memory. Thus, there is no way to decrypt the data, making it much more resistant to hacking attempts.

If law enforcement or malicious actors gain access to an already locked device, they can use exploits to bypass the lock screen. Since the decryption keys are still loaded in memory, they can access all the phone’s data.

Restarting your device after a period of inactivity will automatically clear the keys from memory and prevent law enforcement or criminals from accessing your phone data.

An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer earlier.