We seem to have quickly gotten an answer to the mystery of why iPhones in the custody of law enforcement have been rebooting themselves, making it harder for cops to break them open. Security researchers have found that the latest version of iOS, version 18.1, includes a feature called “inactivity reboot” that restarts a device after approximately four days being in a locked state.
404 Media reported earlier that week that police officers in Detroit were freaking out because iPhones in their custody for examination were randomly rebooting, making it more difficult to crack them open and exfiltrate data that could be useful in investigations. Law enforcement and forensic experts quickly made their way into group chats in order to warn others to get data off devices in their custody as quickly as possible before the reboot happens.
It may seem like a minor issue, but iPhones live in two different states: AFU, or After First Unlock, and BFU, or Before First Unlock. AFU is when somebody has unlocked a device at least once since it was powered on, and experts say devices in this state are generally easier to unlock using exploits. BFU mode is when a device has not been unlocked since it was turned on, and is typically a harder state to crack.
Apple indeed added a feature called “inactivity reboot” in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension. It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device.https://t.co/ONZuU9zVt2 https://t.co/4ORUqR6P6N pic.twitter.com/O3jijuqpN0
— Jiska (@naehrdine) November 8, 2024
Apple is constantly implementing new security measures into its devices, and it’s not likely that the company was specifically targeting law enforcement with this security enhancement.
Apple’s entire brand is providing the most secure, privacy-friendly devices on the market. Its devices are under constant attack from state actors seeking to target journalists, dissidents, and other individuals they aim to silence. It has been widely reported, for instance, that Saudi Arabia used software from Israel-based NSO Group to surveil the family of Jamal Khashoggi prior to his murder. NSO Group makes software called Pegasus that can break into iPhones through the mere delivery of a text message. Apple unsuccessfully sought an injunction preventing NSO Group from using any Apple devices or software.
Apple is constantly playing a game of cat-and-mouse in which exploits are identified by groups like NSO, the company patches them up, those groups find another exploit, and so on and so forth. Forbes recently reported that Apple has been holding annual summits in which it makes presentations to law enforcement on other ways it can use their products in their jobs. But Apple knows that exploits and loopholes in its software can be used not just by good actors but also by nefarious ones, so it does not try and intentionally leave any vulnerabilities in its products.
Law enforcement agencies are always interested in gaining access to further surveillance capabilities. But that can come with a lot of intended and unintended consequences, and it’s good to see Apple not intentionally making their lives easier. Cops were able to do their jobs and conduct investigations before the iPhone existed, and should be able to do so even if they can’t get into an iPhone today.