Apple’s latest mobile operating system, iOS 18, appears to have added an undocumented security feature that reboots devices if they’re not used for 72 hours.

This has implications for anyone trying to maintain access to a stolen or lawfully seized iOS device without a valid passcode.

When an iPhone reboots, it enters a state called Before First Unlock (BFU) during which the files it contains are encrypted. Once it has been unlocked with a passcode, its state changes to After First Unlock (AFU). At that point the machine is less secure and files become mostly accessible because most encryption keys have been loaded into device memory. But other protections like the lock screen remain, and accessing some data – like Apple Mail, Apple Health, Keychain and location data – may still require a passcode.

If they can’t get full access using a passcode, AFU is the preferred state for attackers and law enforcement agencies because the barriers to access are lower. So having an iPhone reboot itself after 72 hours of inactivity enter BFU reduces the window of opportunity for anyone trying to access data on Apple’s hardware.

In the absence of official details from Apple, security researcher Jiska Classen has published an account of her reverse engineering efforts, which reveal how Apple implemented its Inactivity Reboot mechanism.

Classen undertook the exploration following reports that iPhones running iOS 18 have been rebooting after three days, even when completely isolated from a wireless network, and that iDevices can direct other Apple mobile hardware with older operating systems to reboot.

Classen was able to confirm the 72-hour reboot timer, but found no evidence of intra-device communication capable of triggering a reboot. To the extent older iOS devices are rebooting, she said there’s probably another reason – such as a software bug.

Magnet Forensics notes that some iOS device reboots may follow from memory maintenance through a process identified in logs as “SystemMemoryReset.”

To find evidence of iOS 18’s time-based rebooting behavior, Classen scoured a GitHub repo maintained by fellow researcher “blacktop” that contains a version history of the strings used in iOS releases.

Classen eventually found the string “inactivity_reboot” in iOS 18.1 and iOS 18.2. By delving into Apple’s Security Enclave Processor (SEP) and the AppleSEPKeyStore kernel module, she found that the SEP tells the kernel module when the last unlock time has exceeded three days. The kernel module then tells user space to reboot, with the SpringBoard home screen manager handling the process termination to avoid data loss.

A time-lapse video demonstration shows that an iPhone running iOS 18.2 beta 2 rebooting after being powered on and left alone for 72 hours.

“Security-wise, this is a very powerful mitigation,” wrote Classen in her post. “An attacker must have kernel code execution to prevent an inactivity reboot. This means that a forensic analyst might be able to delay the reboot for the actual data extraction, but the initial exploit must be run within the first three days.”

Forensic analysis tools like Cellebrite can obtain mostly system data if limited to BFU access – though some user data may be available from .KTX files that Apple uses to display thumbnails of SMS messages.

Classen observed that “Inactivity reboot will change the threat landscape for both thieves and forensic analysts, but asymmetrically so: while law enforcement is under more time pressure, it likely completely locks out criminals from accessing your data to get into your bank accounts and other valuable information stored on your iPhone.” ®