Apple’s new iPhone software comes with a novel security feature that reboots the phone if it’s not unlocked for 72 hours, according to security researchers.
Last week, 404 Media reported that law enforcement officers and forensic experts were concerned that some iPhones were rebooting themselves under mysterious circumstances, which made it harder for them to get access to the devices and extract data. Citing security researchers, 404 Media later reported that iOS 18 had a new “inactivity reboot” feature that forced the devices to restart.
Now we know exactly how long it takes for this feature to kick in.
On Wednesday, Jiska Classen, a researcher at the Hasso Plattner Institute and one of the first security experts to spot this new feature, published a video demonstrating the “inactivity reboot” feature. The video shows that an iPhone left alone without being unlocked reboots itself after 72 hours.
Magnet Forensics, a company that provides digital forensic products including the iPhone and Android data extraction tool Graykey, also confirmed that the timer for the feature is 72 hours.
“Inactivity reboot” effectively puts iPhones in a more secure state by locking the user’s encryption keys in the iPhone’s secure enclave chip.
“Even if thieves leave your iPhone powered on for a long time, they won’t be able to unlock it with cheaper, outdated forensic tooling,” Classen wrote on X. “While inactivity reboot makes it more challenging for law enforcement to get data from devices of criminals, this won’t lock them out completely. Three days is still plenty of time when coordinating steps with professional analysts.”
Contact Us
Do you work for a mobile forensics company or law enforcement? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
iPhones have two different states that can affect the ability of law enforcement, forensic experts, or hackers, to unlock them by brute-forcing the user’s passcode, or extracting data by exploiting security flaws in the iPhone software. These two states are “Before First Unlock,” or BFU, and “After First Unlock,” or AFU.
When the iPhone is in BFU state, the user’s data on their iPhone is fully encrypted and near-impossible to access, unless the person trying to get in knows the user’s passcode. In AFU state, on the other hand, certain data is unencrypted and may be easier to extract by some device forensic tools — even if the phone is locked.
An iPhone security researcher who goes by Tihmstar told TechCrunch that the iPhones in those two states are also referred to as “hot” or “cold” devices.
Tihmstar said that many forensic companies focus on “hot” devices in an AFU state, because at some point the user entered their correct passcode, which is stored in the memory of the iPhone’s secure enclave. By contrast, “cold” devices are far more difficult to compromise because its memory cannot be easily extracted once the phone restarts.
For years, Apple has added new security features that law enforcement have opposed and spoken out against, arguing that they are making their job harder. In 2016, the FBI took Apple to court in an effort to force the company to build a backdoor to unlock the iPhone of a mass-shooter. Eventually, the Australian startup Azimuth Security helped the FBI hack into the phone.
Apple did not respond to a request for comment.
