A recent investigation by 404 Media has highlighted concerns among law enforcement regarding the self-rebooting feature of iPhones, complicating unauthorized access to these devices. Security expert Jiska Classen has identified that this phenomenon is due to a feature known as “Inactivity Reboot,” which has now been thoroughly analyzed by him.
Dissecting iPhone’s Inactivity Reboot feature
In a detailed blog entry, the researcher explained how Apple discreetly integrated the Inactivity Reboot feature without any public announcements. Analysis of iOS code indicates that this feature was introduced in iOS 18.1, while code from the iOS 18.2 beta suggests ongoing enhancements are being made.
Interestingly, contrary to earlier assumptions, this security measure isn’t linked to the device’s wireless connectivity. Instead, it leverages the Secure Enclave Processor (SEP) to monitor the last time the iPhone was unlocked. If it exceeds a three-day threshold, the SEP alerts the kernel to terminate the Springboard (the fundamental part of iOS) and triggers a reboot.
Classen indicates that Apple has effectively employed strategies to thwart attempts to circumvent this process by hackers. Should any impediment stop the kernel from performing the reboot, the system is programmed to force a kernel panic, leading to a crash and subsequent reboot of the device. Additionally, analytical data is transmitted to Apple whenever a device enters the “aks-inactivity” state.
Because Inactivity Reboot operates within the SEP instead of the main iOS kernel, it presents a significant challenge to overcome, even if the primary kernel is compromised (as seen with jailbreak tools). As Classen mentioned, little is revealed about the SEP, as Apple keeps its firmware confidential.
Upon rebooting, the iPhone transitions to a Before First Unlock (BFU) state, rendering all files on the device encrypted until the user inputs the passcode. Even Cellebrite, a firm known for extracting data from locked iPhones, recognizes the difficulties in retrieving information from a device in BFU mode.
While Apple hasn’t explicitly stated its motivations for integrating the Inactivity Reboot feature in iOS 18, the implications are apparent. The company is likely aiming to mitigate the effectiveness of tools such as Cellebrite and Pegasus spyware that are frequently utilized by law enforcement. This also serves to safeguard ordinary users who may fall victim to data theft during criminal incidents.
For further insights on reverse engineering the Inactivity Reboot feature, visit Jiska Classen’s blog.
: . More.
